Hinweis: Dieser Artikel wurde ursprünglich veröffentlicht in 2012. Einige Schritte, Befehle oder Softwareversionen haben sich möglicherweise geändert. Überprüfen Sie die aktuelle Dokumentation von Exchange für die neuesten Informationen.
Einführung
The Exchange 2010 Edge Transport server role acts as a secure SMTP gateway that sits in your organization’s perimeter network (DMZ). When combined with Microsoft Threat Management Gateway (TMG), the Edge server provides anti-spam filtering, antivirus scanning, and transport rule enforcement before messages ever reach your internal Exchange infrastructure.
This guide walks through the full process of deploying an Exchange 2010 Edge Transport server in a DMZ behind TMG, creating the Edge Subscription, synchronizing with your Hub Transport server, and verifying mail flow.
Voraussetzungen
Before you begin the installation, ensure the following requirements are met:
- Operating System: Windows Server 2008 R2 SP1 (64-bit) or later.
- Active Directory: The Edge server is NOT joined to the internal Active Directory domain. It operates as a standalone workgroup member.
- DNS Suffix: Because the Edge server sits in the DMZ, you must manually configure the primary DNS suffix to match your internal domain (for example,
target.local). This is configured under System Properties > Computer Name > Change > More. - Name Resolution: The Edge server must be able to resolve the FQDN of your Hub Transport server(s), and vice versa. Use a hosts file or a DNS forwarder if needed.
- Network Access: Ensure the firewall permits the necessary ports (detailed below).
Network Architecture Übersicht
The Edge Transport server should be the only Exchange role placed in the DMZ. A typical deployment looks like this:
Internet --> TMG Firewall --> Edge Transport (DMZ) --> Internal Firewall --> Hub Transport (LAN)TMG handles inbound SMTP publishing (port 25) from the internet to the Edge server, while the internal firewall permits SMTP (port 25) and EdgeSync (port 50636) traffic between the Edge and Hub Transport servers.
Schritt 1 - Install Voraussetzungen on the Edge Server
The Exchange 2010 SP1 ISO includes an XML file that automates the installation of all required Windows features. Open PowerShell as an administrator and run the following command:
ServerManagerCmd -ip <path_to_ISO>\Scripts\Exchange-EdgeTransport.xmlAlternatively, on newer systems you can install the prerequisites manually:
Import-Module ServerManager
Add-WindowsFeature NET-Framework, ADLDSAfter the prerequisites are installed, reboot the server before proceeding.
Schritt 2 - Configure the DNS Suffix
Since the Edge server is not domain-joined, you need to add the internal domain DNS suffix manually:
- Open System Properties (right-click Computer > Properties > Advanced system settings).
- On the Computer Name tab, click Change, then More.
- Enter your internal domain suffix (e.g.,
target.local) in the Primary DNS suffix field. - Click OK and reboot the server.
This step is critical because EdgeSync relies on proper DNS resolution between the Edge and Hub Transport servers.
Schritt 3 - Install the Edge Transport Role
- Mount the Exchange 2010 SP1 ISO on the Edge server.
- Right-click
Setup.comand select Run as administrator. - In the Exchange Setup wizard, select only the Edge Transport Role.
- Follow the on-screen prompts and wait for the installation to complete.
- Apply any Exchange 2010 Update Rollups that are current for your environment.
Schritt 4 - Create the Edge Subscription File
Once installation is complete, open the Exchange Management Shell (EMS) as administrator on the Edge server and run:
New-EdgeSubscription -FileName "C:\EdgeSubscription.xml"This command generates an XML file containing the Edge server’s credentials and configuration data. You have 1440 minutes (24 hours) to import this file on the Hub Transport server before the bootstrap token expires.
Copy the generated EdgeSubscription.xml file to the Hub Transport server using a secure method (USB drive, secure file share, etc.).
Schritt 5 - Import the Subscription on the Hub Transport Server
On the Hub Transport server (or a multi-role server with the Hub Transport role):
- Open the Exchange Management Console (EMC).
- Navigate to Organization Konfiguration > Hub Transport > Edge Subscriptions.
- In the Actions pane, click New Edge Subscription.
- Select the Active Directory site for the subscription.
- Browse to the
EdgeSubscription.xmlfile you copied from the Edge server. - Optionally check Automatically create a Send connector for this Edge Subscription.
- Click New and then Finish.
Alternatively, use the Exchange Management Shell:
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"Schritt 6 - Start EdgeSync
After the subscription is created, manually initiate the first synchronization from the Hub Transport server:
Start-EdgeSynchronizationYou can verify the synchronization status with:
Test-EdgeSynchronizationA successful sync will replicate accepted domains, recipient data, Safe Senders lists, Send connectors, and transport rules to the Edge server.
Firewall Port Anforderungen
The following ports must be open through your internal firewall for Edge Transport to function:
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 25 | TCP | Hub <-> Edge (bidirectional) | SMTP mail flow |
| 50636 | TCP | Hub -> Edge | EdgeSync (secure LDAP) |
| 50389 | TCP | Hub -> Edge | AD LDS (non-SSL LDAP, diagnostic) |
If TMG is your perimeter firewall, you also need to publish port 25 from the internet to the Edge server for inbound mail delivery.
Fehlerbehebung Tips
- EdgeSync fails: Verify that port 50636 is open from the Hub Transport server to the Edge server. Check the EdgeSync logs in
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\EdgeSync\. - Mail queues building up: Run
Get-Queueon the Edge server to identify stuck messages. Check theLastErrorfield for DNS or connectivity issues. - DNS resolution problems: Run
nslookup <HubServerFQDN>from the Edge server and vice versa. Both servers must resolve each other’s FQDN. - Subscription expired: If the 24-hour window has passed, delete the old subscription with
Remove-EdgeSubscriptionand create a new one. - Send connector missing: If you did not check the auto-create option during subscription import, manually create a Send connector that routes through the Edge server.
Zusammenfassung
Deploying the Exchange 2010 Edge Transport role in a DMZ behind TMG provides a robust layer of message hygiene and security for your organization’s email infrastructure. The key steps involve installing prerequisites, configuring DNS suffixes, installing the Edge role, creating and importing the Edge Subscription file, and starting EdgeSync. Always ensure that proper DNS resolution and firewall rules are in place before troubleshooting mail flow issues.