How to Configure Mail Flow Between an Edge Transport Server and Hub Transport Servers Without Using EdgeSync
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
We always recommend that you use the Edge Subscription process to establish mail flow between the Exchange organization and a computer that is running Microsoft Exchange Server 2007 that has the Edge Transport server role installed. However, we realize that there are situations where you can't subscribe the Edge Transport server to the Exchange organization by using the Edge Subscription process. To manually establish mail flow between the Exchange organization and an Edge Transport server, you must create and configure the Send connectors and Receive connectors on the Edge Transport server and on the Hub Transport servers in the Exchange organization.
Before You Begin
To perform this procedure, the account you use must be delegated the following:
- Exchange Organization Administrator role
To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
This procedure uses Basic authentication over Transport Layer Security (TLS) to provide encryption and authentication. When you use Basic authentication over TLS, the receiving server must have an X.509 Secure Sockets Layer (SSL) server certificate installed. The fully qualified domain name (FQDN) value configured on the Receive connector must match the FQDN in the SSL server certificate. By default, the value of the FQDN on the Receive connector is the FQDN of the server that contains the Receive connector.
It is much easier to configure the Externally Secured authentication method. However, the communication between the Edge Transport server and Hub Transport server is not authenticated or encrypted by Microsoft Exchange. We recommend that you use the Externally Secured authentication method only when an additional encryption method is used. The encryption method can be an IPsec association or a virtual private network (VPN).
An Edge Transport server is typically multi-homed. This means that the Edge Transport server has network adapters that are connected to multiple network segments. Each of these network adapters has a unique IP configuration. The network adapter that is connected to the external, or public, network segment should be configured to use a public Domain Name System (DNS) server for name resolution. This enables the server to resolve Simple Mail Transfer Protocol (SMTP) domain names to MX resource records and route mail to the Internet. The network adapter that is connected to the internal, or private, network segment should be configured to use a DNS server in the perimeter network or should have a Hosts file available.
For more information, see How to Configure a DNS Suffix for the Edge Transport Server Role.
Edge Transport Server Procedures
The following connectors are required on the Edge Transport server:
A Send connector that is configured to send messages to the Internet
A Send connector that is configured to send messages to the Hub Transport servers in the Exchange organization
A Receive connector that is configured to receive messages only from Hub Transport servers in the Exchange organization
A Receive connector that is configured to accept messages only from the Internet
By default, a single Receive connector is created during the installation of the Edge Transport server role. This connector can be used for both incoming Internet messages and incoming messages from the Hub Transport servers. Typically, the Edge Subscription process automatically configures the correct permissions and authentication on the default Receive connector. When you don't use the Edge Subscription process, we recommend that you modify the default Receive connector on the Edge Transport server to only accept messages from the Internet. You should then create a new Receive connector on the Edge Transport server that is configured to only accept messages from internal Hub Transport servers.
Creating a Send Connector That is Configured to Send Messages to the Internet
This Send connector requires the following configuration:
Usage type: Internet.
Address spaces: "*" (all domains).
Network settings: Use DNS MX records to route mail automatically. Depending on your network configuration, you can also route mail through a smart host. The smart host then routes mail to the Internet.
To use the Exchange Management Console to create a Send connector on the Edge Transport server that is configured to send messages to the Internet
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
On the Introduction page, follow these steps:
In the Name field, type a meaningful name for this connector, such as "To Internet".
In the Select the intended use for this connector: field, select Internet.
On the Address space page, click Add. In the Add Address Space dialog box, enter *, and then click OK.
Note
In Microsoft Exchange Server 2007 Service Pack 1 (SP1), the dialog box is named SMTP Address Space.
When you are finished, click Next.
On the Network settings page, select Use domain name system (DNS) "MX" records to route mail automatically, and then click Next.
On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
On the Completion page, click Finish.
To use the Exchange Management Shell to create a Send connector on the Edge Transport server that is configured to send messages to the Internet
Run the following command:
New-SendConnector -Name <Name> -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true
For example, to create a new Send connector named "To Internet" with the required settings, run the following command:
New-SendConnector -Name "To Internet" -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true
For detailed syntax and parameter information, see New-SendConnector.
Creating a Send Connector That is Configured to Send Messages to the Internal Exchange Organization
Before you begin this procedure, you must create a user account in the Active Directory directory service and add the account to the Exchange Servers universal security group. This account is used by the Send connector on the Edge Transport server to authenticate to the destination Hub Transport server in the Exchange organization.
Important
This account is granted the permissions that are associated with Exchange servers. Make sure that you safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.
This Send connector requires the following configuration:
Usage type: Internal
Address spaces: All accepted domains for the Exchange organization
Network settings:
Fully qualified domain name (FQDN) of one or more Hub Transport servers as smart hosts
Smart host authentication setting: Basic authentication over TLS
To use the Exchange Management Console to create a Send connector on the Edge Transport server that is configured to send messages to the internal Exchange organization
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
On the Introduction page, follow these steps:
In the Name field, type a meaningful name for this connector, such as "To Internal Org".
In the Select the intended use for this connector: field, select Internal.
On the Address space page, follow these steps:
Click Add.
In the Add Address Space dialog box, enter the accepted domains for the Exchange organization. You may select the Include all subdomains check box to use this connector to send e-mail to all subdomains of the address space. When you are finished, click OK.
Note
In Exchange 2007 SP1, the dialog box is named SMTP Address Space.
To add more address spaces to this connector, click Add, repeat this step, and then click OK.
When you are finished, click Next.
On the Network settings page, following these steps:
Select Route mail through the following smart hosts, and then click Add.
In the Add Smart Host dialog box, select Fully qualified domain name (FQDN), and enter the FQDN of the destination Hub Transport server. The Edge Transport server must be able to resolve the specified FQDN of the destination Hub Transport server. When you are finished, click OK.
To add more Hub Transport server as smart hosts, click Add, and repeat this step.
When you are finished, click Next.
On the Configure smart host authentication settings page, select Basic Authentication to select Basic Authentication over TLS. In the Username and Password fields, enter the credentials for the user account in the internal domain. Use the domain\user format or user principal name (UPN) format to enter the user name and provide the user's password. Click Next.
On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
On the Completion page, click Finish.
Important
The Edge Transport server must be able to resolve the name of the Hub Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Hub Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Hub Transport server.
To use the Exchange Management Shell to create a Send connector on the Edge Transport server that is configured to send messages to the Internal Exchange organization
Run the following command on the Edge Transport server:
$hubcred = get-credential
- In the dialog box that appears, enter the credentials for the user account in the internal domain. Use the domain\user format or UPN format to enter the user name and provide the user's password. Click OK.
Run the following command on the Edge Transport server:
New-SendConnector -Name <ConnectorName> -Usage Internal -AddressSpaces <AcceptedDomain1,AcceptedDomain2...> -DNSRoutingEnabled $False -SmartHosts <HubServer1,HubServer2...> -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $hubcred
For example, to create a new Send connector named "To Internal Org" for the accepted domain "contoso.com" and all subdomains to the destination Hub Transport servers named "hub01.contoso.com" and "hub02.contoso.com", run the following command:
New-SendConnector -Name "To Internal Org" -Usage Internal -AddressSpaces *.contoso.com -DNSRoutingEnabled $False -SmartHosts Hub01.contoso.com,Hub02.contoso.com -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $hubcred
Important
The Edge Transport server must be able to resolve the name of the Hub Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Hub Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Hub Transport server.
For detailed syntax and parameter information, see New-SendConnector.
Modifying the Default Receive Connector to Only Accept Messages from the Internet
A default Receive connector named "Default internal Receive connector ServerName" is created when the Edge Transport server role is installed on the server. The default Receive connector is configured to accept messages from the Internet and from the internal Exchange organization. If you are not going to use the Edge Subscription process to correctly configure the authentication methods on the default Receive connector, you should modify the default Receive connector to only accept the anonymous message submissions from the Internet. You should then create a separate Receive connector that only accepts the trusted message submissions from the internal Exchange organization.
Only one reconfiguration is required on the default Receive connector. You must set the local network bindings to the IP address of the Internet-facing network adapter only. You may also want to rename the default Receive connector to something more descriptive.
Note
If Exchange 2007 SP1 is deployed on a computer that is running Windows Server 2008, you can enter IP addresses and IP address ranges in the Internet Protocol Version 4 (IPv4) format, Internet Protocol Version 6 (IPv6) format, or both formats. A default installation of Windows Server 2008 enables support for IPv4 and IPv6.
We strongly recommend against configuring Receive connectors to accept anonymous connections from unknown IPv6 addresses. If you configure a Receive connector to accept anonymous connections from unknown IPv6 addresses, the amount of spam that enters your organization is likely to increase. Currently, there is no broadly accepted industry standard protocol for looking up IPv6 addresses. Most IP Block List providers do not support IPv6 addresses. Therefore, if you allow anonymous connections from unknown IPv6 addresses on a Receive connector, you increase the chance that spammers will bypass IP Block List providers and successfully deliver spam into your organization.
For more information about Exchange 2007 SP1 support for IPv6 addresses, see IPv6 Support in Exchange 2007 SP1 and SP2. For more information about connection filtering, how to add IP addresses to the IP Allow list and IP Block list, and how to configure IP Block List provider services and IP Allow List provider services, see Configuring Connection Filtering.
To use the Exchange Management Console to modify the default Receive connector on an Edge Transport server to only accept messages from the Internet
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Receive Connectors tab.
In the work pane, select the Receive connector to modify. The default Receive connector is named "Default internal Receive connector Servername".
Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
Click the General tab to modify the name of the connector.
Click the Network tab. Under Use these local IP addresses to Receive mail, click Edit.
- In the Edit Receive Connector Binding dialog box, select Specify an IP address, and then enter the IP address of the Internet-facing network adapter. Click OK.
Click OK to save your changes and exit the Properties page.
To use the Exchange Management Shell to modify the default Receive connector on an Edge Transport server to only accept messages from the Internet
Run the following command:
Set-ReceiveConnector "Default internal Receive connector <ServerName>" -Name <NewConnectorName> -Bindings <ExternalNetworkAdapterIP:25>
For example, to modify the default Receive connector on an Edge Transport server named "Edge01", rename the connector "From Internet" with an external network adapter with IP address 10.1.1.1, and run the following command:
Set-ReceiveConnector "Default internal Receive connector Edge01" -Name "From Internet" -Bindings 10.1.1.1:25
For detailed syntax and parameter information, see New-ReceiveConnector.
Creating a New Receive Connector that is Configured to Only Accept Messages from the Internal Exchange Organization
This Receive connector requires the following configuration:
Usage type: Internal
Local network bindings: Internal network-facing network adapter
Remote network settings: IP address of one or more Hub Transport servers in the Exchange organization
Authentication method: Basic authentication over TLS
To use the Exchange Management Console to create a new Receive connector on an Edge Transport server that is configured to only accept messages from the internal Exchange organization
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Receive Connectors tab.
In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.
On the Introduction page, follow these steps:
In the Name field, type a meaningful name for this connector.
In the Select the intended use for this connector: field, select Internal.
On the Remote network settings page, follow these steps:
Select the default IP address range entry 0.0.0.0 - 255.255.255.255, and then click .
Click Add or the drop-down arrow located next to Add and type the IP address or IP address range of the internal Hub Transport server or servers. When you are finished, click OK.
To add multiple destination Hub Transport servers to this connector, click Add and repeat this step. Each Hub Transport server that you define in this step must also be listed as a source server in the corresponding Send connectors that are configured on the Hub Transport servers.
When you are finished, click Next.
On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.
On the Completion page, click Finish.
In the work pane, select the Receive connector that you created.
Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
Click the Network tab. Under Use these local IP addresses to Receive mail, click Edit.
- In the Edit Receive Connector Binding dialog box, select Specify an IP address, and then enter the IP address of the internal organization-facing network adapter. Click OK.
Click the Authentication tab. Select Basic Authentication and Offer Basic authentication only after starting TLS.
Click OK to save your changes and exit the Properties page.
To use the Exchange Management Shell to create a new Receive connector on an Edge Transport server that is configured to only accept messages from the internal Exchange organization
Run the following command:
New-ReceiveConnector -Name <ConnectorName> -Usage Internal -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS,ExchangeServer -Bindings <InternalNetworkAdapterIP:25> -RemoteIPRanges <HubTransportServerAddress1,HubTransportServerAddress2...>
For example, to create a new Receive connector named "To Internal Org", on an Edge Transport server that has an internal network adapter IP address of 10.1.1.1 and that accepts messages from internal Hub Transport servers that use IP addresses 192.168.5.10 and 192.168.5.20, run the following command:
New-ReceiveConnector -Name "To Internal Org" -Usage Internal -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS,ExchangeServer -Bindings 10.1.1.1:25 -RemoteIPRanges 192.168.5.10,192.168.5.20
For detailed syntax and parameter information, see New-ReceiveConnector.
Hub Transport Server Procedures
The following connector is required on the Hub Transport servers:
- A Send connector that is configured to send messages to the Edge Transport server in the perimeter network for relay to the Internet
By default, two Receive connectors are created during the installation of the Hub Transport server role. The connector named "Client ServerName" is configured to accept messages from all POP3 and IMAP messaging clients. The connector named "Default ServerName" is configured to accept messages from an Edge Transport server. No modifications to these connectors are required.
Creating a Send Connector That is Configured to Send Outgoing Messages to the Edge Transport Server
Before you begin this procedure, you must create a user account on the destination Edge Transport server that is a member of the local Administrators security group. This account is used by the Send connector on the Hub Transport server to authenticate to the destination Edge Transport server.
This Send connector requires the following configuration:
Usage type: Internal
Address spaces: *
Network settings:
IP address or FQDN of the Edge Transport server as a smart host
Smart host authentication setting: Basic Authentication over TLS
To use the Exchange Management Console to create a Send connector on a Hub Transport server that is configured to send outgoing messages to the Edge Transport server
Open the Exchange Management Console. In the console tree, expand Organization Configuration, select Hub Transport, and then in the work pane, click the Send Connectors tab.
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
On the Introduction page, follow these steps:
In the Name field, type a meaningful name for this connector, such as "To Edge".
In the Select the intended use for this connector: field, select Internal.
On the Address space page, click Add. In the Add Address Space dialog box, enter *, and then click OK.
When you are finished, click Next.
Note
In Exchange 2007 SP1, the dialog box is named SMTP Address Space.
On the Network settings page, follow these steps:
Select Route mail through the following smart hosts, and then click Add.
In the Add Smart Host dialog box, select Fully qualified domain name (FQDN), and enter the FQDN of destination Edge Transport server. The Hub Transport server must be able to resolve the specified FQDN of the destination Edge Transport server. Click OK.
When you are finished, click Next.
On the Configure smart host authentication settings page, select Basic Authentication to select Basic Authentication over TLS. In the Username and Password fields, enter the credentials for the user account on the destination Edge Transport server. Click Next.
By default, the Source Server page lists the Hub Transport server on which you are performing this procedure. If you want add more Hub Transport servers for fault tolerance, those Hub Transport servers must be configured as sources on the corresponding Receive connector on the Edge Transport server. To add more source servers, click Add. In the Select Hub Transport servers and Edge Subscriptions dialog box, select the Hub Transport servers that will be used as the source server for sending messages to the Edge Transport server that you provided in step 6. When you are finished adding additional source servers, click OK.
To add more source servers, click Add and repeat this step.
When you are finished, click Next.
On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
On the Completion page, click Finish.
Important
The specified Hub Transport servers must be able to resolve the name of the Edge Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Edge Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Edge Transport server.
To use the Exchange Management Shell to create a Send connector on a Hub Transport server that is configured to send outgoing messages to the Edge Transport server
Run the following command on the Hub Transport server:
$edgecred = get-credential
- In the dialog box that appears, enter the credentials for the user account on the Edge Transport server. Click OK.
Run the following command on the Hub Transport server:
New-SendConnector -Name <ConnectorName> -Usage Internal -AddressSpaces * -DNSRoutingEnabled $False -SmartHosts <EdgeServer> -SourceTransportServers <HubServer1,HubServer2...> -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $edgecred
For example, to create a new Send connector named "To Edge" that is sourced on the Hub Transport servers named "hub01.contoso.com" and "hub02.contoso.com" to the destination Edge Transport server named edge01.contoso.net, run the following command:
New-SendConnector -Name "To Edge" -Usage Internal -AddressSpaces * -DNSRoutingEnabled $False -SmartHosts edge01.contoso.net -SourceTransportServers hub01.contoso.com,hub02.contoso.com -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $edgecred
Important
The Hub Transport servers must be able to resolve the name of the Edge Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Edge Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Edge Transport server.
For detailed syntax and parameter information, see New-SendConnector.
For More Information
For more information, see the following topics: