Develop skills to prepare for installing, configuring and performing ongoing maintenance of a Microsoft Exchange Server 2013 infrastructure.
Help prepare for certification exam 70-341.
Learn best practices.
2. Overview
Edge Transport Server Role
Edge Transport Server Installation and Synchronization
Transport Agent Configuration
2
3. Edge Transport Server Overview
Used to minimize the attack surface by handling all Internet-facing mail flow, providing
additional layers of message protection and security.
Installed in the network perimeter, and is not joined to the internal organization’s AD forest.
Mail flow and recipient data is synchronized from the MB server to the Edge Transport server
using EdgeSync.
Install multiple ET servers for high availability.
External MX records point to the ET servers.
3
4. ET Scenarios
Internet mail flow
◦ Accepts mail from the Internet protecting the internal MB and CAS servers.
◦ Mail flows from the Internet to ET MB CAS when the roles are separately installed.
◦ Mail flows from the Internet to ET FrontEnd Transport (FET) on CAS Transport service on MB
when CAS/MB are installed on the same server.
Anti-spam and antivirus protection
◦ Blocks viruses and unsolicited email.
Edge Transport rules
◦ Used to control the flow of messages by applying an action to messages meeting specified conditions.
Address rewriting
◦ Presents a consistent email address appearance to external recipients.
4
6. Edge Transport Setup
Support for Exchange 2013 Edge Transport started with SP1
Requirements
◦ x64 CPU, 4 GB RAM
◦ Preferred DNS set to the internal DNS server
◦ Standalone server
◦ DNS name suffix for the internal domain
◦ MB and ET servers must be able to locate each other using DNS name resolution
◦ ADLDS
6
7. Edge Transport Setup
Once the Edge is installed you must create an Edge subscription file. This file is valid for 24
hours.
Copy the Edge Subscription file to one of the mailbox servers in your site and run the following
cmdlet to begin Edge synchronization.
7
8. Edge Transport Setup
Start the Edge Synchronization process using
the Start-EdgeSynchronization cmdlet on the
MB server.
Your Edge server is completely functional once
Edge Synchronization has completed.
Future changes to send/receive connectors are
still completed on the MB server and then
synchronized to the Edge server.
Future synchronizations occur on a schedule:
◦ Configuration data: 3 minutes
◦ Recipient data: 5 minutes
◦ Topology data: 5 minutes
8
9. Transport Agents
Inbound SMTP messages are processed for message
hygiene by the ET server in a specific order using
transport agents.
All management is performed using EMS.
9
10. Connection Filtering Agents
Connection filtering is an anti-spam feature available when using an Exchange 2013 Edge
Transport server.
◦ IP Block List
◦ IP Block List Providers
◦ IP Allow List
◦ IP Allow List Providers
Check to ensure the block list transport agent is configured.
10
11. Connection Filtering - IP Allow List
The IP Allow list contains the IP addresses of email servers that you want to designate as
trustworthy sources of email.
◦ You manually maintain the IP addresses in the IP Allow list.
◦ You can add individual IP addresses or IP address ranges.
◦ You can specify an expiration time that specifies how long the IP address entry will be allowed. When
the expiration time is reached, the entry in the IP Allow list is disabled.
◦ Email from mail servers that you specify in the IP Allow list is exempt from processing by other Exchange
anti-spam agents.
11
12. Connection Filtering - IP Allow List
Adding a specific whitelist entry the Edge server will rate messages from the IP with a spam
confidence level (SCL) of -1. Note that the command was entered at the Edge server, this is a
requirement for the cmdlet to work.
Message details before and after the IP allow list entry.
12
14. Sender Filtering
You can select a specific sender or block entire domains including their subdomains.
14
15. Recipient Filtering
Configures Exchange to only accept messages for existing recipients in your organization.
Enabled using the “AddressBookEnabled” property on an Accepted Domain. By default, this is
enabled on all authoritative accepted domains and disabled for internal and external relay
domains.
Check the AddressBookEnabled property using:
15
Although the Recipient Filter agent is also available on Mailbox servers, you shouldn't configure it. When recipient
filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients,
the message is rejected.
https://technet.microsoft.com/en-us/library/jj218660(v=exchg.150).aspx
16. Recipient Filtering
Block specific recipients within your organization from receiving email using:
The cmdlet displayed above also requires BlockListEnabled to be set to true.
16
17. Sender ID Filtering
DNS-based filtering where the Exchange server checks for Sender Policy Framework (SPF) DNS
records for the sending organization. Spoofing is assumed if no SPF record is found.
17
Set-SenderIDConfig –SpoofedDomainAction Reject –BypassedDomains Microsoft.com
18. Content Filtering
Filter and delete incoming messages based on keywords.
Works with the Spam Confidence Level (SCL) to identify the likelihood of spam. The SCL is from
0-9 where 9 is most likely spam.
18
19. Sender Reputation
Uses a non-configurable protocol analysis agent to analyze statistics from SMTP senders. SRL is
maintained in memory and restarts when the Edge Transport server’s transport service is
restarted.
Sender Reputation Level (SRL) is calculated based on:
◦ EHLO/HELO analysis
◦ Reverse DNS lookup
◦ SCL ratings of a particular sender
◦ Open proxy test on the sending SMTP serer
The SRL is a rating from 0-9 where 9 is most likely to be spam. Reputation begins at 0 and begins
checking the SRL after receiving 20 messages. SRL threshold is set to 7 by default.
https://technet.microsoft.com/en-us/library/bb124512%28v=exchg.150%29.aspx
19
Error in Apress Pro Exchange 2013 SP1 PowerShell
Administration has the SRL ratings reversed: Pg. 294
20. Spam Confidence Levels (SCL)
The SCL is stamped in the X-header of each message. A rating from -1 to 9 is interpreted by
filters and the default action is taken on inbound messages. Note that a -1 doesn’t guarantee a
message won’t be denied as a deny from another transport agent could still be applied.
20
SCL Rating Spam Confidence Interpretation Default Action
-1 Non-spam coming from a safe sender, safe recipient,
or safe listed IP address (trusted partner)
Deliver the message to the recipients’ inbox.
0, 1 Non-spam because the message was scanned and
determined to be clean
Deliver the message to the recipients’ inbox.
5, 6 Spam Deliver the message to the recipients’ Junk Email
folder.
9 High confidence spam Deliver the message to the recipients’ Junk Email
folder.
21. Import/Export Edge Configuration
Configuration of Edge Transports servers is local and not shared among ET servers.
Multiple ET servers can be configured using cloned configuration during the installation of the ET
server role. The exported configuration can also serve as a backup configuration during recovery.
Subsequent changes will need to be made independently.
Generate the clone data xml file:
Copy the xml file to the new Edge Transport server and import the clone data prior to
configuring the edge subscription using:
21
.ExportEdgeConfig.ps1 –CloneConfigData:”C:TempEdgeClonedConfig.xml”
.ImportEdgeConfig.ps1 –CloneConfigData:”C:TempEdgeClonedConfig.xml” –IsImport $true –
CloneConfigAnswer:”C:TempCloneAnswerFile.xml”
22. Load Balancing
Traffic between Edge Transport servers and the internal Exchange 2013 mailbox servers (in the
same site as the ET server) is automatically load balanced using a round-robin mechanism and
vice versa.
Inbound traffic from the Internet to the Edge Transport servers is load balanced using multiple
MX records with weighting or a single MX record pointing to a load balancer.
22
23. Anti-Malware
The Edge Transport server doesn’t provide any anti-malware or anti-virus, instead this is offered
using message hygiene services in the cloud – Microsoft Exchange Online Protection.
The Mailbox Server role however comes with a default anti-malware engine that can perform
content scanning for viruses, scanning all inbound and outbound messages in transit.
Malware definition files are downloaded once per hour or can be downloaded manually.
Mailbox server antivirus is enabled by default.
23
24. Address Rewriting
Addresses can be rewritten at the Edge Transport server so that they appear to be coming from
a different domain. This is useful when you have a primary Active Directory domain and multiple
subdomains.
◦ For instance, recipients sending emails from the subdomain sales.contoso.com can have their address
rewritten removing the sales domain. This provides a consistent email address for all employees.
Configuration is only completed using EMS on the ET server.
Must configure both the Address Rewriting Outbound agent and the Address Rewriting Inbound
agents on the ET server when you have more than a single recipient or domain.
24
25. References
Microsoft TechNet: Exchange Server 2013 Prerequisites
◦ https://technet.microsoft.com/en-CA/library/bb691354%28v=exchg.150%29.aspx#WS2012Edge
Microsoft TechNet: Edge Transport servers
◦ https://technet.microsoft.com/en-us/library/bb124701(v=exchg.150).aspx
Microsoft TechNet: Manage Connection Filtering on Edge Transport Servers
◦ https://technet.microsoft.com/en-us/library/bb124376(v=exchg.150).aspx
25