What is Edge Transport Server.
In this blog we will discuss what is Edge Transport Server role, how Edge Transport server communicates with Active Directory, we will also discuss if Edge server is required in your Exchange organization, and we will talk about prerequisites for Edge Transport server installation.
Table of Contents
Watch video
Join us on our YouTube channel and watch What is Edge Transport Server to learn in-and-out of Edge Server in Exchange organization.
What is Edge Transport Server role
In an on-premises Exchange organization where Edge Transport Server is not deployed, all external inbound and outbound email flow is handled by the Mailbox Server in Exchange 2016 and 2019.
When users send emails to the Internet, the Mailbox Server connects to every email recipient server over port 25. And whenever an external user sends email to on-premises user, the sender’s email server connects to the on-premises Mailbox Server. So that means, the on-premise Mailbox Server has to be exposed to the Internet, because it has to communicate with the external email servers in order to send or receive the emails.
Exchange Server stores user’s emails, address book, calendars. It sores 100 and 1000 of mailboxes and public folders, and there could be confidential information as well. So if we are exposing the mailbox server to internet, this can lead to a security threat.
So this is where Edge Transport Server role comes in the picture.
Edge Transport server is always deployed in a perimeter network. The machine where we install Edge Transport Server is never joined to the Active Directory forest.
When we deploy Edge Transport server role, the external inbound and outbound email flow is handled by the Edge Transport server.
So even if you are exposing this server to the Internet, you can still minimize the security risk for your on-premises infrastructure because the edge server is never a part of the domain network.
Email Flow in Edge Transport Server
How inbound email flow works in Edge Transport Server
- When external user sends email to one of your on-premises Exchange server users, this email is received by the Default Receive Connector that runs on the Transport Service of Edge Transport Server.
- Then this email is sent to the Mailbox Server using the send connector of Edge Transport Server. The name of this connector is EdgeSync – Inbound to <Active Directory Site Name>.
- In mailbox Server, that email is received by the Default Front End Connector. This connector runs on the Front End Transport Service of the mailbox server.
- Then this email is sent to the Transport Service on the Mailbox server.
- From Transport Service this email is sent to the Mailbox Transport Delivery service.
- And then this email is delivered to the Mailbox Database.
How outbound email flow works in Edge Transport Server
- If on-premises user sends an email to the Internet, the Mailbox Transport Submission Service picks the email from the mailbox database.
- Then using SMTP, Mailbox Transport Submission service sends that email to the Transport Service on the Mailbox server.
- In Transport Service, a default connector with name Default mailbox server name receives that email.
- Then this email is sent to the Edge Transport server using Intra-organization Send connector. This connector automatically sends emails between Exchange servers in the same organization.
- In the Transport service on the Edge Transport server, the default Receive connector named Default internal Receive connector accepts that email.
- Then this email is sent to the Internet using Edge Sync to Internet connector that runs on the Transport Service of the Edge Transport server.
Anti-Spam Agents in Edge Transport Server
Edge Transport server provides 3 anti-spam agents:
Connection Filter Agent
Recipient Filter Agent
Attachment Filter Agent.
Spammers use a variety of techniques to send spam into your organization. Edge Transport servers help prevent users from receiving spam emails by providing a collection of agents that work together to provide different layers of spam filtering and protection. With the help of these spam agents you can block spam emails on the perimeter network. So this adds an extra layer of security for your on-premise emails environment.
Moreover, you can create and configure Transport Rules (mail flow rules) on Edge Transport Server. Mail flow rules on Edge Transport servers are used to control the flow of emails those are sent to or received from the Internet. Mail flow rules are configured on each Edge Transport server to help protect corporate network resources and data by applying an action to the emails basis on the conditions.
Address rewriting in Edge Transport Server
The other benefit of Edge Transport Server is Address Rewriting. Address rewriting is a feature in Exchange Server that modifies the email address of the sender and the recipient in the emails that enter or leave your organization through an Edge Transport server.
Let’s assume we have 1 parent domain ABC.COM and we have 2 subdomains or child domains sales.abc.com and it.abc.com. When a user from child domain will send an email, I want his email address to be reflected as @abc.com domain not @it.abc.com.
So with the help of address rewriting, we can re-write the email addresses so they appear to originate from a single domain.
Important: Edge Transport Server has 2 transport agents those provide the rewriting functionality. Address Rewriting Inbound Agent and Address Rewriting Outbound Agent.
How Edge Transport Server communicates with Active Directory
Edge Transport Server doesn’t have access to Active Directory information because Edge Transport Server is always installed in a perimeter network and is never joined to the Active Directory domain.
Edge Transport Server requires only some of the information from Active Directory like, connector information for email flow, and recipient information for antispam recipient lookup. This data from Active Directory is synchronized to the Edge Transport server by Microsoft Exchange EdgeSync service that runs on the mailbox server in Exchange 2016 or Exchange 2019.
When we install Edge Transport Server, as a prerequisite we install Active Directory Lightweight Directory Services (ADLDS). We install this service on the machine where we want to install Edge Transport Server.
EdgeSync service creates one-way replication of the recipients and the configuration information from Active Directory to the Active Directory Lightweight Directory Services that is running on the Edge Transport Server. This one-way replication of the recipients and configuration information is achieved by edge subscription. Edge Subscription creates secure and automatic replication of information from Active Directory to ADLDS that is running on the Edge Server.
The Edge Subscription process provisions the credentials those are used to establish a secure LDAP connection between the Mailbox servers and a subscribed Edge Transport server.
Is Edge Transport Server required?
Edge Transport Server is not mandatory for your on-premises Exchange organization. If you do not want to set up Edge Transport server, you can use 3rd party email filtering solutions. For example, Barracudda, EOP, SendGrid or Spamtitan. These email filtering solutions provide more advanced features to secure your emails as compare to on-premise Exchange server anti-spam agents.
Prerequisites to install Edge Transport Server
Before you install Edge Transport Server in your on-premise Exchange environment, you need to meet certain prerequisites.
- TCP port 25 must be open between the Internet and Edge Transport Server for external inbound and outbound email flow. This port has to be opened between Edge Transport Server and Mailbox server.
- Port 389 and 50636 those are secure LDAP ports, has to be opened on the edge server. These ports are used for directory synchronization from Mailbox servers to Active Directory Lightweight Directory Services that run on Edge Transport server.
- Mailbox Server should be able to resolve the Fully Qualified Domain Name or the DNS host name of the Edge Transport Server and Edge Transport Server should be able to resolve the fully qualified domain name of the Mailbox Server.
- You would require credentials of the administrator that is a member of local administrator group.
- And you need SSL certificate for your Edge Transport Server. It is not recommended to use the same SSL certificate that is already being used in Mailbox Server. So you need to get a new SSL certificate for your Edge Server from 3rd party certification authority.
In the next article we will meet all the above prerequisites step by step and we will learn how to install Edge Transport Server in Exchange 2019 organization.
Conclusion
In this blog we learnt what is Edge Transport Server role, how Edge Transport Server role works, how email flow works when you have installed Edge Transport Server in on-premises Exchange organization, we discussed about address rewriting functionality of Edge Transport Server, and we also talked about prerequisites to install Edge Transport Server role.
Found this blog helpful and informative? Please follow us on YouTube and join our Newsletter for early blogs and updates.
Related articles
We welcome you to browse our other articles on Exchange Server 2019 and Exchange Hybrid deployment:
Install Active Directory on Windows Server 2019 and promote to Domain Controller
DNS records in Active Directory
Exchange Server Roles, Architecture, and Functionality Explained
Exchange Server 2019 prerequisites
Install Exchange Server 2019 on Windows Server 2019.
How to configure Exchange Server 2019 post installation
Transport Pipeline in Exchange Server 2019
Configure Mail Flow in Exchange Server 2019
Create FREE Let’s Encrypt certificate and install on Exchange Server
Happy Learning!!