Deploying Edge role is good security practice for your Exchange environment, you can better isolate your mailbox role from the internet if you deploy edge role in front. Edge also helps you manage spam and email security policies.
Before we begin
The way I’m doing it, is to deploy edge role of the Exchange server in DMZ and without deploying that machine to the domain.
Here are some prerequisites for the successful deployment of the edge role.
Network settings – separate edge role by putting it into DMZ.
I did part of the Exchange installation (Mailbox role) already as part of my Server Basics series. You can check it out, it is already on my blog, this part will be continuation of that install.
Internal Domain Network:
So, my internal domain on which I already installed Exchange with Mailbox role is named informatiker.local.
Router is on address 10.0.0.1 and has fixed public IP address
DC (named SBDC) is on 10.0.0.31
Exchange Mailbox role (SBEx1) is on 10.0.0.36
DMZ network:
DMZ is where our Exchange edge role will reside.
I configured DMZ on the same router where our domain network is residing.
DMZ interface of the router has IP address 192.168.50.1
Edge role (named edge) is on 192.168.50.3
Very important thing is that under DNS server settings, edge role has IP address of the DNS server of the DC of your domain. In my case that IP is 10.0.0.31.
I also unchecked IPv6 protocol in network settings.
Also, naming and domain prefix is very important on the edge server.
On the edge machine go to Control Panel | System | under “Computer name, domain and workgroup settings” section click on Change settings
On Computer Name tab click on Change
Click on more
I will add under primary DNS suffix my domain name (informaticar.net) you add your public domain name here
You will be asked to reboot your server, so reboot.
Be also sure to open Outbound port 25 on the firewall of EDGE machine!
Ports/router config
For this setup to make sense, none of the machine should have network adapter in both networks, nor the networks between themselves should have all traffic allowed.
WAN interface:
Port 25 should be allowed from internet to you edge server.
DMZ interface
Port 25 should be allowed to “all” – towards internet.
I opened ports 25 and 2525 from edge server (192.168.50.3) to my mailbox server (10.0.0.36) and vice versa
I opened port 53 from edge server (192.168.50.3) to my DC (10.0.0.31) and vice versa (although it is not necessary)
I opened LDAP ports 50389 and 50636 from edge server (192.168.50.3) to my DC (10.0.0.31) and mailbox server (10.0.0.36) and vice versa.
You can optionally open port 3389 so you can remote desktop to your edge server, but I haven’t done that.
Prerequisites
Following is needed before we install edge role
.Net Framework 4.8
https://go.microsoft.com/fwlink/?linkid=2088631
Visual C++ 2012 (I installed both x86 and x64 versions)
https://www.microsoft.com/en-us/download/details.aspx?id=30679
I will not go through .Net Framework or Visual C++ installs…
You also can install Active Directory Lightweight Directory Service by your own, or let Exchange installer do it, by selecting the option before installation starts.
Also, make sure your edge server can communicate with DNS server.
While we are at the DNS story.
You will not probably be able to resolve edge server by name from the domain, and that can cause problems, we need to address on time.
On your DC in DNS you can specify new zone and enter the name of your zone like your domain is (in my case informaticar.net) and add A record for the server inside DMZ on which the service is residing (in this case it would be edge on 192.168.50.3).
This is how it would look like
Try nslookup to edge server, and also try to ping it by name. Do the same vice versa, from edge server try to ping and nslookup to your DC and mailbox server inside other domain – that should work. This is a cornerstone for everything else to work properly!
Certificates – prepare certificates if you plan to use them (you should install cert on mailbox role server, and prepare one for the edge role so we can install it after installation of edge role is done).
I already installed Mailbox role in my domain inside LAN (it is not configured, just installed)
Edge role installation
You will need Exchange Server 2019 installation media (latest is CU9 at the moment of writing this).
Right click on setup.exe and select Run as Administrator
I will let installer check for updates… Next
…
Next
…
Next
I accept… Next
Use recommended settings… Next
I will select Edge role and Automattically install Windows Server roles… Next
I will leave default installation location… Next
Checking prerequisites
I often get “Setup can’t contact the primary DNS server…” error, although in I select nslookup or ping I can resolve my servers with name from edge role server and vice versa. Looks like a glitch to me. Install
Installation process starts. I will not screenshot every screen for this process.
After some time and waiting… Confirm with Finish and reboot your machine.
Installation took half and hour in my case.
Before we proceed with the edge role configuration we will confirm that our edge role is ok.
We don’t have GUI on edge role so we will do this through Exchange Management shell (as Admin)
Test-ServiceHealth
All is well.
Let’s verify transport agents
You may get error here – “No valid agents.config was found in C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles – if you get that error, go to that path and click on TransportRoles directory, tou will probably have to confirm access to the directory – confirm it and then go back to this command.
Get-TransportAgent | ft
If you wish to disable some of the agents, your command would be
Disable-TransportAgent -Identity “Agent Name”
Let’s check also on edge transport components state. (change edge with your edge server name)
Get-ServerComponentState -Identity edge
And at last, let’s verify default ReceiveConnector on edge server
Get-ReceiveConnector | fl
Ok ,that is it, we can now proceed with the creation of edge subscription and connecting to mailbox server.
Certificates
Certificate part of the guide is something that is not mandatory, but you can consider it.
Before we proceed with the configuration, if you plan to use certificates for TLS now is time to do it. You can also get by with self-signed certificate that edge role creates in the process of installation, no need for 3rd party certs.
Let me explain a bit better this situation.
After you install edge role on exchange server, during installation procedure edge server will set self-signed certificate on the edge role server. This certificate can be used as opportunistic TLS mechanism – it can be used for encryption purposes, but not for the validation and authentication.
Opportunistic TLS should be good enough for SMTP communication on the internet between various servers.
If you wish to use TLS for Domain Security (for example to create dedicated secure connection to another organization) you will have to use third party certificates issued by authorized certificate authority.
If you still decide you want to use third party certificate and not self-signed, one certificate will not be enough. For example if you have wildcard certificate for your mailbox role, you should get different one for edge role – you cannot use same certificate.
You should not use same certificate for both edge and mailbox server because you will get error like this.
If you use wildcard cert on the mailbox role (this is only example), you should create new certificate request and get for example edge.yourdomain.com or smtp.yourdomain.com certificate for the edge role (doesn’t have to be wildcard certificate and name is also provisory).
This also means that you will have to recreate edge subscription after you get new certificate.
This should definitely be done before we proceed with configuration, in case you do it after, you will need to recreate edge subscription.
How to set new certificate on edge role?
You need two different certs for edge and mailbox role, you cannot use same one.
I usually use wildcard certificate on mailbox role (because of autodiscover, owa…) and I also additionally buy one domain certificate named same as the edge server. In this case it would be edge.informaticar.net
Think about this scenario, and proceed if you wish certificate for the edge role (installation will create self-signed certificate for edge role)
I already imported my certificate to mailbox role server prior to this
On the edge role open mmc – File – Add/Remove Snap-In – Select Certificate – Computer account – Local Computer
I bought separate domain certificate and I imported it (disregard depicted wildcard certificate).
We will now set our imported certificate as main certificate on edge role
Run Exchange Management Shell as Admin on edge role server
Get-ExchangeCertificate | Select Subject, Services, Thumbprint
Ok, now I will assign certificate with thumbprint 1614… as a certificate for SMTP services on edge server. Change 1614.. with your external cert thumbprint.
Enable-ExchangeCertificate -Thumbprint "1614C09B4A5368..." -Services SMTP
Ok, we are done with that, now I have external certificate assigned to my edge role.
To my edge role server I assigned certificate named edge.informaticar.net and to my mailbox role server I assigned *.informaticar.net cert (wildcard certificate).
Configuration
To create edge subscription we need to run following on edge server. (Make sure you created temp dir in c:\ or select some other directory and file name, it is up to you) – Run Powershell as admin
New-EdgeSubscription -Filename "c:\temp\edge.xml"Before you proceed with this step, make sure that your DNS works fine and that you can resolve edge server by name, and also your domain controller and mailbox server by name.
Copy this edge.xml file from edge server to your mailbox server inside domain.
I copied edge.xml file also to the temp folder on mailbox role server inside domain.
Ok, let’s check send connectors on my mailbox part of exchange server
Nothing there yet…
We will now run following command on our mailbox role server. Change “Default-First-Site-Name” for your site name in case you are not using default one.
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\temp\edge.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"
You wil lalso get warning to enable port 50636, so in case you haven’t yet done that, do it now.
Let’s test edge synchronization
Test-EdgeSynchronization
Inconclusive…
Let’s run another one
Start-EdgeSynchronizationCould not connect… We need to give some time to these connectors. If you done everything correctly so far, in few minutes it should work.
Send Connectors appeared now
Let’s try once again EdgeSynchronization
This time, all is fine. So, in my case I waited few minutes and communication and syncing was established.
That is it, we are done with edge synchronization for exchange server!