Uncovering the Exchange 2007 Edge Transport Server (Part 3)



If you would like to read the other parts in this article series please go to:

Uncovering the Exchange 2007 Edge Transport Server (Part 1)

Introduction

In part 2 of this article series, we went through the steps necessary in order to deploy a basic Edge Transport server in your organization. In part 3, we will go through the steps required in order to subscribe the Edge Transport server to an Exchange Server 2007 based messaging infrastructure.

As you learned in part 1 of this articles series, an Edge Transport server should not be part of the corporate Active Directory infrastructure, but should instead be installed on a stand-alone server in a workgroup or as a domain member in an Active Directory forest dedicated to a set of servers located in the perimeter network. This makes it easier to roll out updates, monitor the servers using solutions such as System Center Operations Manager 2007 (SCOM 2007) as well as simplify overall management and administration.

Now that we have an Edge Transport server deployed in our perimeter network, we can create the so called Edge Subscription, so that Active Directory data such as Accepted Domains, Recipients, Safe Sender lists, Send Connectors can be replicated from the corporate Active Directory forest to the ADAM instance that is created on the Edge Transport server. Part 1 uncovers the inner details of how an Edge Subscription is working, so if you have not read that article or perhaps need a refresher, I suggest you do so before continuing with this one.

Creating the Edge Subscription XML File

The very first step in order to get and Edge Subscription up and running are to generate the Edge Subscription XML file on the Edge Transport server.

Note:
Although the recommended method for establishing end-to-end mail flow between the Edge Transport server(s) and the Hub Transport servers with in the Exchange organization is to create an Edge Subscription for the Edge Transport server, you can also do so by creating and configuring the Send connectors (that the EdgeSync service creates automatically) manually. Although this will establish working end-to-end mail flow between the Edge Transport server(s) and the Hub Transport server(s), you should bear in mind that you cannot make use of the recipient lookup feature or safe list aggregation as these features requires that the Edge Transport server has a subscription to the organization. In addition the management of the Edge Transport server(s) will be more time consuming.

In order to generate the Edge Subscription file, we need use the New-EdgeSubscription CMDlet (no GUI exists for this step!). To do so open the Exchange Management Shell (EMS) on the Edge Transport server itself, then type:

New-EdgeSubscription –file “C:\EdgeSubscriptionFile.xml” (or whatever you want to name the file as the name of the file doesn’t have any impact on anything), then hit Enter as shown in Figure 1.


Figure 1:
Creating a New Edge Subscription File

Note:
When you run the New-EdgeSubscription CMDlet, an ADAM account is created as well. This account is used to secure Lightweight Directory Access Protocol (LDAP) communications during data transfer. The credentials for the account is also retrieved when running the CMDlet.

As you can see from the figure, you now need to confirm that you really want to create an Edge Subscription, as this process makes certain configuration of the Edge Transport server, so that it’s ready to be managed via the EdgeSync service. As this is exactly what we want to do, type “Y” then hit Enter.

Warning
Any Accepted Domains, Message Classifications, Remote Domains, and Send Connectors will be overwritten when you make a new Edge Subscription file. Also bear in mind that the Internal SMTP Servers list (a list of all internal SMTP server IP addresses or IP address ranges that should be ignored by the Sender ID and Connection filtering agents) of the TransportConfig object will be overwritten during the synchronization process. In addition the Management Shell tasks that manage these types of objects will be locked-out on the Edge Transport server, which means you need to manage those objects from within the organization and then have the EdgeSync service update the Edge Transport server. When running the New-EdgeSubscription CMDlet on a newly installed Edge Transport server, this information can be ignored, since you haven’t configured anything manually on the server yet.

Since the XML file which we as you can see in Figure 2 saved in the root of the C: drive needs to be imported on a Hub Transport server, we need to transfer the file to a Hub Transport server in the Exchange 2007 organization. You could do so by copying the file to a floppy disk, or perhaps even smarter by making use of the Disk drives feature in a Remote Desktop Connection client (if you have enabled Remote Desktop on the Edge Transport server and have TCP port 3389 open in the firewall between the parameter network and the internal network).


Figure 2: Edge Subscription XML File

Importing the Edge Subscription XML File

When the file has been transferred to a Hub Transport server in the AD site from where you want to establish replication to the Edge Transport server, you need to import it by opening the Exchange Management Console (EMC), then expand the Organization Configuration node then select Hub Transport.

Note:
In order to import the Edge Subscription file on a Hub Transport server, you must logon with an account that is local Administrator on the respective Hub Transport server, as well as belongs to the Exchange Organization Administrators group.

Now click on the Edge Subscriptions tab (see Figure 3).


Figure 3: Edge Subscriptions Tab on the Hub Transport Server

Since we have to create a new Edge Subscription based on the XML file we generated in a previous step, click New Edge Subscription in the Action pane (or if you prefer right-click somewhere in the Work pane and select New Edge Subscription in the context menu).


Importing the Edge Subscription file will establish an authenticated communication channel as well as complete the Edge Subscription process by beginning an initial replication. The Send connector which is used when messages are sent to the Internet via the Edge Transport server is created by default. In addition the EdgeSync service will replicate Send Connector configuration, Accepted Domains, Remote Domains, Safe Sender lists as well as Recipient data (SMTP address including Contacts, Distribution Lists and proxy addresses) from Active Directory to the ADAM store.

We will now be taken to the New Edge Subscription Wizard, where we have to specify the Active Directory site in which the Edge Transport server will become a member. If you only have one site select Default-First-Site-Name. If your Exchange organization is deployed across multiple sites, click the drop-down list and choose the respective site.

If your Active Directory topology consists of multiple Active Directory sites, it is recommend you import the Edge Subscription file on a Hub Transport server that is located in the site which got the best network connectivity to the perimeter network in which the Edge Transport server is deployed.

Now specify the location of the Edge Subscription file by clicking Browse, and then click New (Figure 4).


Figure 4: Creating a New Edge Subscription

Wait for the New Edge Subscription Wizard to complete, then click Finish

Note:
If you are a PowerShell fanatic, you can of course also import the Edge Subscription file using Exchange Management Shell (EMS). This is done by using the New-EdgeSubscription –FileName:”C:\EdgeSubscriptionFile.xml” –Site:”Default-First-Site-Name” CMDlet.

When the Edge Subscription file has been imported, it is a good security practice to delete it, although it will expire 24 hours after it was generated.

Now that we have created an Edge Subscription the Edge Sync service on the Hub Transport Server will synchronize configuration data such as each hour and recipient data every fourth hour to the Edge Transport server.

If you do not want to wait for four hours before the replication occurs, you can force the EdgeSync synchronization manually. In order to do so open the Exchange Management Shell (EMS) on a Hub Transport server, then type Start-EdgeSynchronization as shown in Figure 5.


Figure 5: Manually Starting the Edge Synchronization

Forcing a synchronization using the Start-EdgeSynchronization is also a good idea if you have made bulk change in Active Directory (perhaps added 50 new mail-enabled or mailbox-enabled users), so that these changes are replicated immediately.

When the EdgeSync service synchronizes data from Active Directory to ADAM store on the Edge Transport server, it is sent hashed in order to protect the synchronized data. In addition the LDAP connection is secured by the ADAM credentials which are stored in the Edge subscription file. Last but not least all recipient and safe senders lists data stored in ADAM are hashed.

Verifying the EdgeSync Service Works as Expected

In order to see whether the Hub Transport server configuration data has propagated properly to the Edge Transport server, you should verify a Send Connector has been created on the server. You do so by performing the following steps:

  1. Log on to the Edge Transport server.
  2. Open the Exchange Management Console.
  3. Click the Edge Transport node in the navigation tree in the left pane.
  4. Now click the Send Connectors tab in the Work pane (see Figure 6).


Figure 6:
Send Connector on the Edge Transport Server

  1. Verify a Send Connector has been created. Also make sure each domain that are listed under the Accepted Domains tab on the Hub Transport server is listed, when typing Get-AcceptedDomain in the Exchange Management Shell on the Edge Transport server. You should get a list similar to the one shown in Figure 7.


Figure 7: Listing the Accepted Domain

Note:
You can also use the Test-EdgeSynchronization CMDlet for additional testing purposes.

If everything is as expected, you now have a subscribed working Edge Transport server in your parameter network - congratulations!

Summary

In this part 3 of the series uncovering the Edge Transport server role in Exchange server 2007, we took a ride through the steps necessary in order to subscribe an Edge Transport server to an Active Directory site in the corporate Active Directory forest on the internal network. In the next part we will take a close look at the anti-spam filtering agents included with this Exchange 2007 server role.

If you would like to read the other parts in this article series please go to:

Henrik Walther

Share
Published by
Henrik Walther

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

2 days ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

2 days ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

2 days ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

3 days ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

3 days ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

3 days ago