377
Chapter 7
Solutions in this chapter:
■
Deploying the Edge Transport Server Role
■
Enabling Name Resolution Lookups between
the Edge Transport and Hub Transport
Servers Suffi x
■
Installing the ADAM Component
■
Verifying That the EdgeSync Service Works
as Expected
■
Manually Confi guring the Required
Connectors
■
Pointing Your MX Records to the
Edge Transport Server
■
Deploying Multiple Edge Transport Servers
in the Organization
˛
Summary
˛ Solutions Fast Track
˛ Frequently Asked Questions
Managing the
Edge Transport
Server
378 Chapter 7 • Managing the Edge Transport Server

Introduction
The Exchange Product Group developed the edge transport server to give enterprises powerful
out-of-the-box protection against spam without needing to go out and invest in a third-party
solution. The messaging hygiene features in the Edge Transport server role are agent based and
consists of multiple fi lters that are frequently updated.
Although the primary role of the edge transport server is to route mail and do message hygiene,
it also includes features that will let you do other things, such as rewriting SMTP addresses,
confi guring transport rules, and enabling journaling and associated disclaimers.
After reading this chapter you will have learned what the edge transport server is all about; you
will be aware of how an edge transport server is properly deployed as well as know how to confi gure
most of the features available with this server role.
NOTE
Exchange 2007 also includes a new feature called Domain Security, which provides
a set of functionality that offers a low-cost alternative to S/MIME or other message-
level security solutions. The purpose of the Domain Security feature set is to provide
administrators a way to manage secured message paths over the Internet with
business partners.
Deploying the Edge Transport Server Role
The Edge Transport server role in Exchange Server 2007 is meant to be installed in your organization’s
perimeter network (also called a demilitarized zone [DMZ] or screened subnet). This server role supports
Simple Mail Transfer Protocol (SMTP) routing (more specifi cally, SMTP-relay and Smart Host
functionality) and provides several antispam fi ltering agents and support for antivirus extensibility.
The edge transport server is the only server role that shouldn’t be part of your Active Directory
directory service forest; it should instead be installed on a stand-alone server in a workgroup as
shown in Figure 7.1.
Although the Edge Transport server role is isolated from Active Directory, it’s still able to
communicate with the Active Directory using a collection of processes known as EdgeSync, which
runs on the hub transport server. Since it is part of the Active Directory, the Hub Transport
server has access to the necessary Active Directory data. The edge transport server uses Active
Directory Application Mode (ADAM) to store the required Active Directory data, which is data

such as accepted domains, recipients, safe senders, send connectors, and a hub transport server list
(used to generate dynamic connectors so that you don’t need to create them manually).
Managing the Edge Transport Server • Chapter 7 379
SOME INDEPENDENT ADVICE
Although the Edge Transport server role has been designed to provide improved
antispam and antivirus protection for an Exchange 2007 environment, you can
deploy this server role in an existing Exchange 2003 organization as well. Since you
install the Edge Transport server role on a stand-alone machine in the perimeter
network (the DMZ or screened subnet), this is even a relatively simple task. Even
though you would be able to use the Edge Transport server role as a smart host or
an SMTP relay server in an Exchange 2003 environment, you will not be able to
replicate confi guration and recipient data from Active Directory to ADAM,
because this requires an Exchange 2007 hub transport server. This doesn’t hinder you
from using the fi ltering agent that doesn’t rely on the EdgeSync service. If you use
the Intelligent Message Filter (IMF) only in your Exchange 2003 environment,
deploying an edge transport server in the perimeter network (the DMZ or screened
subnet) would make sense because it would provide an additional layer of antispam
protection. You could also install ForeFront for Exchange Server 2007 on the edge
transport server so that you could fi lter out antivirus messages as well.
Figure 7.1 A Typical Edge Transport Server Scenario
Firewall
Perimeter Network
Firewall
SMTP Server
SMTP Server
Internal Network
Internet
Edge
Transport
Client Access

Hub Transport
Mailbox
It’s important to understand that the EdgeSync replication is encrypted by default and that
the replication is a one-way process from Active Directory to ADAM. This means that no data is
replicated from ADAM to AD.
The fi rst time that EdgeSync replication occurs, the ADAM store is populated, and after that, data
from Active Directory is replicated at fi xed intervals. You can specify the intervals or use the default
settings, which, for confi guration data, is every hour and every fourth hour for recipient data.
380 Chapter 7 • Managing the Edge Transport Server
The edge transport server has its own Jet database to process the delivery of inbound as well as
outbound e-mail messages. When inbound e-mail messages are stored in the Jet database and are
ready for delivery, the edge transport server looks up the respective recipient(s) in the ADAM store,
which, as mentioned, among other things contains recipient data replicated from the Active Directory
using the EdgeSync service.
In a scenario in which you have deployed multiple edge transport servers in your organization,
the edge transport servers use DNS round robin (which is supported by most DNS servers today)
to network and load-balance network traffi c between the servers.
Prerequisites
The Exchange 2007 Edge Transport server role can be installed on either a Windows 2003 Server R2
Standard Edition or Windows 2003 Server SP1 Standard Edition. As already mentioned, it’s important
that you install the Edge Transport server role on a standalone machine outside the Active Directory
forest, since installing this server role on a server that is member of Active Directory isn’t supported,
nor it would be a good idea, since doing so would introduce a major security risk.
Since the Edge Transport server should be deployed in the perimeter network (the DMZ or screened
subnet), it’s recommended that you use a multihomed setup, meaning that the server has two network
adapters: one connected to the perimeter network and one to the internal network. This will give you the
option of specifying the ports and/or services that should be allowed on each adapter. For example, we
want to allow LDAP replication from only the internal network when we show you how to confi gure the
Security Confi guration Wizard (SCW) later in this chapter. But the choice is yours, really, since an edge
transport server will work just fi ne using a single network adapter as well, albeit in a less secure way.

Creating a DNS Suffi x
Before you can install the Exchange 2007 Edge Transport server role on the server, you should make
sure that you have created a DNS suffi x, because you cannot change the server name once the server
role has been installed. In addition, the readiness check will fail if a DNS suffi x cannot be located.
Creating the DNS suffi x is a very simple process, performed via the following steps:
1. Log onto the edge transport server with the Administrator account or another account
with administrator permissions.
2. Click Start, right-click My Computer, and select Properties in the context menu.
3. Now click the Computer Name tab and then click the Change button (see Figure 7.2).
Managing the Edge Transport Server • Chapter 7 381
Figure 7.2 The Computer Name Tab
4. Click the More button.
5. Now enter the respective DNS suffi x (see Figure 7.3) and then click OK four times.