Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Installing, Configuring Exchange 2007 Edge Server (Part 1)

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

Cast your Vote
Poor Excellent

The DMZ is a network segment where security considerations dominate the choice of what gets installed. Exchange 2007 is considered by many to be the first DMZ friendly release. Today we start installing an Exchange 2007 Edge server and look at what makes Edge a good DMZ citizen.

Despite the success in conquering internal corporate networks, earlier Exchange versions failed to replicate the same success at the DMZ. One reason for this was the Exchange server installation requirements that included IIS and Active Directory. These are often considered too cumbersome for hosts running internet facing services.

Splitting functionality into distinct roles, allowed Exchange 2007 to provide the first DMZ friendly solution. The Edge server role was thus born, an SMTP transport where email hygiene applications filter emails before allowing entry and exit to/from the internal network.

Today we walk through the installation of an Exchange Edge server. We also configure this to connect to the Exchange servers running internally.

Network Layout

We start our walk with a look at the network layout. A typical DMZ is shown below. Internet originating email is received by the Edge server. If accepted this is relayed to the internal Exchange Hub transport. In case of outgoing email, the Hub transport uses the Edge server as a smart host.

DMZ

The separation between DMZ and internal network limits the type of traffic between the two segments. In this setup, the Edge server machine cannot be a member of the internal domain. Furthermore the Edge is expected to only provide essential services so as to limit exposure to potential security attacks. These limitations are catered for by the Edge server installation requirements. In fact we will be installing Edge on a standalone Windows 2003 Server. Of course it is also possible to install this on Windows 2008. I will be highlighting some differences between to two platforms as we go along.

For the purposes of this article, the internal network is already up and running. The internal domain name is exchinbox.local. An Exchange Hub transport server is also in place accepting emails for the domain adminstop.com.

Edge Installation Requirements

We start the Edge installation from a standalone Windows 2003 SP2 server. To satisfy the basic Exchange 2007 requirements we install the .NET Framework 2.0, MMC and PowerShell. With these bits out of the way, we look at some requirements specific to the Edge role.

First we have to configure the DNS Suffix for the Edge machine:

  1. Open the properties for 'My Computer'

    My Computer Properties

  2. Select the Computer Name page and click Change

    Computer Name Property Page

  3. Click More

    Computer Name Properties

  4. Enter the DNS name of the internal domain. In our case exchinbox.local

    DNS Suffix

  5. Finally we restart the machine

Next we have to make up for the lack of Active Directory services. Cutting the Edge server from the internal Active Directory is desirable from an isolation perspective. However AD also serves as the Exchange 2007 configuration repository. Thus a replacement that allows Edge to store its configuration is obviously required.

Thus on Windows 2003 we install the Active Directory Application Mode ADAM service. Just like Active Directory this is an LDAP directory service. However this will only be used to store information relevant to Exchange.

We download ADAM SP1 from the Microsoft download center. The Service Pack includes all the bits and can be installed directly on a machine where ADAM was never installed.

There is nothing worthy of note regarding the installation of ADAM. It is just a matter of clicking Next, 'I Agree' and Finish.

Note: ADAM is included with Windows 2003 R2. In this case use the Optional Component Manager to complete this installation.

Note: If we were installing Edge on Windows 2008 instead of ADAM we would install Active Directory Lightweight Directory Services (AD LDS).

Installing the Edge Server Role

We now satisfied the installation requirements. Using the Microsoft Update Service we make sure we also have all the latest updates. Finally we are ready to install the Edge Server role.

The usual Exchange 2007 installation Wizard greets us. Here we choose the Custom Exchange Server Installation option since Edge is not part of the typical installation.

Custom Exchange 2007 Installation

At the Role selection step we select the Exchange Server Role.

Edge Server Role

Note how on selecting the Edge role all other roles are grayed. Edge has to be installed on its own. All other roles are intended to run within the internal network. We should now be able to complete the installation as usual.

Looking at ADAM

As already discussed, in this setup ADAM is acting as the configuration repository for the Edge server. ADAM is really a sibling of Active Directory. Thus tools that we usually use against Active Directory are also available for ADAM. Let's use ADSI Edit to take a look at what ADAM is storing.

  1. Start MMC: Run | mmc.exe

    MMC

  2. Open, File | Add/Remove Snap-in | Add | ADAM ADSI Edit

    ADSI Edit

  3. Add the Snap-In and click OK to close the Add/Remove Snap-in dialog

  4. Now right-click the ADAM ADSI Edit node and select 'Connect To...'

    Connect to ADAM

  5. At the Connections Settings Dialog change the port to 50389. This is the default port ADAM listens to.

    ADAM Port 50389

  6. Hit OK to connect and we are ready to browse the directory. Here is the all too familiar Exchange Administrative Group object...

    Administrative Routing Group

Final Tips

Today we started the deployment of an Exchange 2007 Edge server. We looked briefly at the general characteristics of the DMZ, the network segment to home our installation.

Next we looked at the installation requirements. These contribute greatly in making the Exchange 2007 Edge server role DMZ friendly. The requirements include ADAM. This fills up the void left by the lack of the Active Directory service, providing storage for the Edge server configuration. Once all requirements were satisfied, installing Edge was just a matter of selecting the custom installation type and the Edge server role.

In the next part of this article we will proceed with the configuration and connection of the Edge server to the Exchange servers running internally.

References

Exchange 2007 System Requirements

Active Directory Application Mode (ADAM)

User Comments - Page 1 of 1

Arun Chaudhary 4 Oct 2011 21:35
Hey man, I Installed all the exchange on AD-LDS in win server 2008, but after installing the edge transport server I m not bale to find the Exchange management shell,
what can I do, please share with me on arunkalagarh@gmail.com

Thanks
Arun Chaudhary
MCITP
newcreationxavier 5 Jan 2010 05:44
Good attempt at demonstrating the procedure. Keep it up!
Sanuj Calicut 19 Dec 2009 09:01
If you are installing exchange server 2007 in windows server 2008 R2, make sure that you are using Exchange server 2007 SP1. and in the installation time the mailbox role fails , run the setup with comaptibilitty mode and choose windows vista sp2, it will works.
Alexander Zammit 25 May 2009 13:04
The main difference in W2008 is the fact that you need to install AD LDS instead of ADAM. You do that by running the command:

ServerManagerCmd -i ADLDS


Other relevant references:
Installing Exchange 2007 SP1 on Windows 2008 RTM
http://www.exchangeinbox.com/article.aspx?i=111

Installing, Configuring Exchange 2007 Edge Server (Part 2)
http://www.exchangeinbox.com/article.aspx?i=134

How to Install Exchange 2007 SP1 Prerequisites on Windows Server 2008 or Windows Vista
http://technet.microsoft.com/en-us/library/bb691354.aspx




harry 25 May 2009 12:14
Could you please explain with server 2008 instead of ADAM.Also,if you can provide ip adress scheme.
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation