An Edge Subscription subscribes an Exchange Server 2013 Edge Transport server to an Active Directory site. This automatically creates the required connectors for internet mail flow to occur inbound and outbound via the Edge Transport server and the Mailbox servers in that Active Directory site.

On the Edge Transport server create an Edge Subscription file.

[PS] C:\>New-EdgeSubscription -FileName C:AdminEdge.xml

Confirm
If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result,
any of the following objects that were created manually will be deleted: accepted domains, message classifications,
remote domains, and Send connectors. After creating the Edge Subscription, you must manage these objects from inside
the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the
TransportConfig object will be overwritten during the synchronization process.
 EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Mailbox servers in the Active
Directory site to which the Edge Transport server is being subscribed, and those Mailbox servers be able to resolve the
 FQDN of this Edge Transport server. You should complete the Edge Subscription inside the organization in the next
"1440" minutes before the bootstrap account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Copy the Edge Subscription file to a Mailbox server in the organization Import the Edge Subscription file by running the following command.

[PS] C:\>New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:AdminEdge.xml" -Encoding Byte -ReadCount 0)) -Site "DataCenter1"

In my example “DataCenter1” is the name of the Active Directory site that hosts the Mailbox servers that I want to participate in EdgeSync with the Edge Transport server. If you have multiple Edge Transport servers (for high availability) you simply repeat the process of creating the Edge Subscription file on each Edge Transport server and then subscribing it to the Active Directory site.

Note: If you add a new Mailbox server to the site it will not participate in EdgeSync until you resubscribe the Edge Transport server to the site.

Removing Other Send Connectors

If you’ve previously configured send connectors for outbound email you may need to take additional steps to remove them after you’ve deployed your Edge Transport server.

For example, here you can see the two EdgeSync connectors that were automatically created, and the existing “Internet Email” send connector as well. At the moment outbound email will still go out via the “Internet Email” connector.

[PS] C:\>Get-SendConnector

Identity                                AddressSpaces                           Enabled
--------                                -------------                           -------
Internet Email                          {SMTP:*;1}                              True
EdgeSync - DataCenter1 to Internet      {smtp:*;100}                            True
EdgeSync - Inbound to DataCenter1       {smtp:--;100}                           True

Remove any unnecessary send connectors so that mail will flow via the Edge Transport server.

[PS] C:\>Remove-SendConnector "Internet Email"

Confirm
Are you sure you want to perform this action?
Removing Send connector "Internet Email".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Verify Outbound Email

You can verify that outbound email is flowing via the Edge Transport server by sending an outbound message, then copying the message headers from the received message into a header analyzer such as MXToolbox or ExRCA.

exchange-2013-edge-transport-message-headers

Verify Inbound Email

For inbound email you will need to ensure that your MX records point to the public IP address for your Edge Transport server (which may be a NATed IP address behind a firewall or other network device). To verify inbound mail flow send an email from an external address or use the inbound SMTP test on ExRCA.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Orel

    Greetings,
    I would like to know if it is possible to set that EDGE will only transfer internal traffic between 365 and exchange on perm?
    If so,
    I would love to highlight from you how to make it work in this configuration correctly

  2. Mariusz

    Hi Paul,

    I am migrating from Exchange 2010 to 2016. I am confused with Edge role on Exchange 2016 in regards to its secure communication, everywhere documentation states that it needs port 25 for standard SMTP communication but there is no straighforward guideline how Exchange 2016 Edge establishes secure communication with other external mail servers using TLS (secure email delivery between mail servers) or with clients trying to authenticate to SMTP over TLS (e.g. scan to email devices). Can Edge use port 587 for secure SMTP communication or does it use port 25 for TLS? Previously on Exchange 2010 I forwarded all secure SMTP traffic on port 587 to Exchange 2010 CAS. Where should I forward port 587 now (Edge or Mailbox server)? Should I use and can I use public wildcard SSL certificate (*.companydomain.com) on new 2016 Edge server and assign it to SMTP services? If certificate is renewed does it need Edge subscription recreation as per article https://itblog.ldlnet.net/index.php/2019/01/25/update-edge-server-certificate-in-a-hybrid-exchange-environment/ ?

  3. Osa

    Hi Paul
    I know this is an old thread. But I think I followed every step correctly and still unable to send out.
    I keep getting this error when I do a search on dlevery report:

    ‘[{LED=};{MSG=};{FQDN=};{IP=};{LRT=}]’.

    1. Sid

      DNS Failed to resolve domain.

  4. Raj Mustaf

    Environment:
    DAG with 5 servers – Exchange 2013
    1 Edge server working fine.
    2nd edge server, I’ve verified routes, firewall, DNS, domain suffix, IPV6 is off.

    I attempt to re-subscribe the 2nd edge server, and it gives me this error:

    EdgeSync requires that the Mailbox servers in Active Directory site SiteXYZbe able to resolve the IP address
    for EDGE-SERVER.Domain.Com and be able to connect to that host on port 50636.

    From one of my exchange servers, I can telnet to the edge server over port 50636 successfully.
    ADAM is running on the edge server without issue.

    Any suggestions?

  5. Christofer

    Hello,

    i have problem with DSN emails. All DSN email are failed on edge server with error: RecipientStatus: {[{LRT=};{LED=550 5.7.1 Not authorized};{FQDN=};{IP=}]}. What to configure on edge or hub transport server to allow DSN emails?
    We have 1 edge server and 1 Hub/CAS/MBX server. Both Exchange 2013.

  6. Jay

    Hello Paul,

    Always great and clear instructions and articles. Wanted to offer a possible edit to the above as I ran into an error creating the Edge subscription XML file using your suggested command. I had to launch the Exchange Management Shell using the “Run As Administrator” option before the command would complete successfully. When I ran the Shell not as an admin (even though logged in as a domain admin to the Edge server), it game me an error saying something along the lines of “couldn’t create certificate in the AD LDS store, access is denied”. But when running the Shell as administrator, worked just fine.

    Thanks again for your great documentation!

    Jay

  7. DEPOLO

    Hi Paul.
    I’m very proud to read your articles regarding Exchange Server.
    Since yesterday, i’m facing a very disturbing issue with my newly deployed Exchange Server 2016 environement.

    My deployment is as follow:

    – One Mailbox Exchange server 2016

    – One Edge Server 2016 in the DMZ

    – One TMG 2010 SP2 to handle the web part of my Exchange.

    Since yesterday, i’m able to send mail from inside to outside, but can’t receive from outside, because it’s stuck in queue at my edege level.

    I have a firewall in front of my edge server 2016. The underlining firewall is configure to NAT my mail.domain.cm port 25 to my edge server 2016; and it’s doing it well because i can telnet on port 25 from the firewall to my edge, and i can also telnet from my edge to my Mailbox Exchange Server 2016, but the mail didn’t go trough the Mailbox Exchange Server.

  8. Dmitry

    Paul,

    How to configure a FQDN for each edge transport?

    Example: Get-SendConnector “EdgeSync – Default-First-Site-Name to Internet” | Set-SendConnector -Fqdn smtphost1.domain.com.br

    tks.

  9. ALENCAR WELL

    Hello,

    I did the step by step and everything seems to be working.
    However, I still get a lot of spam and the header of the message does not appear the IP of my EDGE server.

    What about the settings we make to configure the filters? EDGE is not done?

    Set-TransportConfig -InternalSMTPServers IP MY EXCHANGE
    Get-TransportConfig | Format-List InternalSMTPServers
    Set-SenderFilterConfig -Enabled $true
    Set-SenderFilterConfig -BlankSenderBlockingEnabled $true
    Set-RecipientFilterConfig -Enabled $true
    Set-RecipientFilterConfig -RecipientValidationEnabled $true
    Get-ReceiveConnector
    Get-ReceiveConnector “Default Frontend MAIL” | fl tar*
    Set-ReceiveConnector “Default Frontend MAIL” -TarpitInterval 00:00:06
    Set-RecipientFilterConfig -InternalMailEnabled $true
    Set-SenderIdConfig -Enabled $true
    Set-SenderIdConfig -SpoofedDomainAction Delete
    Set-SenderIdConfig -SpoofedDomainAction Reject
    Get-SenderIdConfig | FL SpoofedDomainAction
    Set-ContentFilterConfig -Enabled $true
    Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 8
    Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 5
    Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 6
    Set-ContentFilterConfig -QuarantineMailbox spam@mydmain.com.br
    Set-OrganizationConfig -SCLJunkThreshold 4
    Restart-Service MSExchangeTransport
    Get-ContentFilterConfig | Format-List SCL*

  10. Gregory

    After importing the new subscription I restarted the topologie and I get the error when I do Test-EdgeSynchronization

      1. Gregory

        The issue is resolved. Thanks for the help.

        THE UDP port was open for 50636 instead of TCP.

        After opening the tcp port 50636 I could sync the edge and transport server

        1. Prema

          How did you find that?

          1. yassine

            you can just test if the port is open with a tool, like nmap or other tools, and it seems that he tested all the requierments, one of them is the port TCP 50636 is open between Mailbox Server(s) and the Edge Server.

  11. Gregory Pollack

    Hi Paul,

    I am new the exchange and am busy with a proof of concept on exchange 2016.

    We have 2 Transport servers and 1 Edge in DMZ.
    I keep getting the known error (Failed to connect to the Edge Transport server ADAM instance with exception The LDAP server is unavailable) which i suspect has something to do with the certificates.

    I a really a newby when it comes to certificates and would like to know if the self signed certificate certificate which i created on the edge needs to have the same thumbprint on the transport servers;I am unable to find a tutorial on this topic online.

    The required ports 50636, 50389, and 25 are open between the internal and DMZ subnet. The adam service is running on the edge.

    Is there a way to reset the whole certificate setup to default so i can create a new subscription to resolve this or is this issue related to something else.

    Looking forward to your feedback.

    1. Avatar photo

      Edge can work with self-signed certificates. Its unclear where in the processing of setting up an edge subscription you’re seeing that error. But the LDAP server being unavailable is probably going to be a network or firewall issue, so that’s where I’d start.

      If in doubt with edge servers you can always recreate the edge subscription any time, which is often a requirement anyway for things like updating the info in AD for the edge server’s build number after installing CUs.

  12. Matt Krysinski

    Our environment consists of two CAS servers (2013) and one Edge server (2010). We’re ready to decommission and remove our Edge server.

    When I run the Remove-EdgeSubscription , I get the following error message.

    You must specify a valid Edge Subscription for the Identity parameter.
    + CategoryInfo : InvalidOperation: (:) [Remove-EdgeSubscription], InvalidOperationException
    + FullyQualifiedErrorId : [Server=,RequestId=212756d3-2472-44e2-87ec-47aa8860b751,TimeStamp=7/19/2017 1:58
    :36 PM] [FailureCategory=Cmdlet-InvalidOperationException] 1FEE799C,Microsoft.Exchange.Management.SystemConfigurat
    ionTasks.RemoveEdgeSubscription
    + PSComputerName : ..local

    Any ideas as to why this simple command isn’t working?

    Kindest regards,

    Matt

  13. Julian

    Hi Paul
    Unfortuynately I have an old Exchange2003 All-in-one, and I have to install an antispam-antivirus on a more recente echange, so I saw EDGE (2016) does not require AD membership (in fact, the firewall ports you say to open are only a few: TCP 25 inbound outbound, plus another high one).
    I deployed it following tour articles: no error.
    But now I have no management console (IIS), and I don’t know which AD domain I have to subscribe it to: it should only work as a receiving smart-host with AntiVirusSpam.
    Is it possible ?

    Thank you

    Julian

      1. Julian

        Ok, very good ! 🙂

        Did you post something about Edge configuration without EdgeSync subscription ?

        Tank you again, Julian

  14. Arman

    Hi Paul,
    we have a two mailbox servers, two CAS servers and edge server. when we adding second edge server mail doesn’t go in and out. there is and error in the smtpsend logs
    2017-01-28T16:44:14.260Z,EdgeSync – Inbound to Default-First-Site-Name,08D4479C5359C393,27,192.168.xx.xx:1503,192.168.yy.yy:25,*,,TLS negotiation failed with error SocketError

    is there any suggestions?
    Many thanks

  15. kyle

    Hi Paul,Thanks for your “exchange-server-2013-edge-transport-server” serial posts.

    I follow this post add 2EDGE server in my 2CAS+2MBX demo environment this week without any warn info.

    Should i need to change the new send connector “EdgeSync-ADsitename to internet” ‘s FQDN from BLANK to mail.myoffice.com or just leave it alone?

    I found that i must reset the “senderid” and “senderfilter” options(like blanksenderblockingenabled) in both 2EDGE server although i set it on 2MBX server before.if your EDGE serial posts upgrade some tips about antispam settings ,it will be more greate.

    Thanks.
    Sorry so my poor english 🙂

      1. kyle

        OK,I’ll be keep the EDGE’s setting and watch the result.

        Thanks for your quickle reply.

  16. hosamani

    I have a query for having Resubscription one of Edge Transport server to the site.

    We have 2 Edge servers and 4 MBX/CAS mixes role and all are Exchange 2013 CU6 version all servers)

    Issue: One of the Edge server is not syncing with mailbox servers, however there is no impact on mail flow. and only impact is mailbox safalist/blocklist not replicating.

    Also very soon one of the SSL certificate is getting expire and I am planning to renew it.

    So, is it better to Resubscribe it before certificate renewal or can we do it after? Also is there any impact on existing configuration after renewal with mail flow ?

    1. Avatar photo

      Yes, I believe that updating the SMTP certificate on the Edge server(s) requires a resubscription.

      You’re running an unsupported build (CU6) so you should also plan to update your servers to the latest CU before you do the certificate changes.

      As for the synchronization issue, the most likely cause is a firewall port not being open, but maybe resubscribing will also fix it.

      1. hosamani

        Hi Paul, Appreciate your quick response.

        All required ports are open between edge and MBC/CAS. Also verified the services and restarted as well, also tried to resync with force parameter, no luck.

        Error: EdgeSync service cannot connect to this subscription because of error “The supplied credential is invalid.”

        So if i resubscribe, will be any impact on existing configuration ? because same edge servers are used for application mail relay.

        Thank you

          1. Sb

            Hi Paul,

            I have 2 edge servers and 3 MBX/CAS servers(Exch-13). So after Resubscribing, should i start EdgeSynchronization from Each server ?

            like
            Start-EdgeSynchronization -Server MBX1 -target server Edge-1 and Edge2
            Start-EdgeSynchronization -Server MBX2 -target server Edge-1 and Edge2
            Start-EdgeSynchronization -Server MBX3-target server Edge-1 and Edge2

            or is there any option or p-command to Sync all my mbx/CAS servera at same time ?

            Thanks

  17. Rafal

    We currently have an Exchange 2013 organisation which at some point (politics…) will be moved to O365, we need to deploy an Edge service in the mean time. Would an Exchange 2013 Edge server work ok with an Exchange 2010 SP3 RUx organisation, or are we better deploying the 2010 Edge service? There doesn’t seem to be a categorical answer on Technet that I can see.

  18. Farid

    Hello and thank you for your tips.
    I have my Azure VM on a 2012 R2 datacenter with Exchange CU12 Edge transport Role.
    I ran into a problem after running New-EdgeSubscription -FileName C:AdminEdge.xml
    I get a smart card popup and it requires a PIN.
    When cancelling, the cmdlt aborts.
    Also tried randon numbers etc…no luck.
    Ant suggestions?

      1. Farid

        Thanks for the feedback.
        I figured it out. It was actually the remote desktop session that azure creates for you and you download to use it to connect to your VM which has a setting with a check mark for smart card, ports and devices to be used on remote machine.
        I just needed to uncheck that.

  19. Daniel S.

    Hi,

    I have an Exchange Server 2013 CU10 organisation, with one MBX – CAS server. I am currently configuring an Exchange 2016 Edge in DMZ.

    The Edge Subscription should take care of the internal and external, inbound and outbound port 25 traffic.

    I would like to know if should I expect any trouble for the other Exchange services, like ActiveSync, OWA, POP3, IMAP, OutlookAnywhere.

    I am planning to leave those, for the time being, external published direct from my CAS – MBX Server, and after everything is working as it should, I will publish those thru WAP with AD FS.

    Thank you.

    Regards
    SD.

  20. Ferdie Fernandez

    Hi,

    We have a 2007 MBX and HTC servers in 4 sites but only 1 edge server at one location for mail routing to internet. Can i put another edge server in another site and I want that site to route emails from that Edge server? Can i use Edge 2013 ? Can it mixed with 2007 HTC/MBX servers? What need to be taken off when doing this configuration?

  21. Jesus

    I have a Exchange 2013 organization with diferents roles in each server and a Exchange 2013 servers in the same organization.
    Exchange 2007 and 2013 is in diferent adsites. Exchange 2007 has EDGE subscription with four EDGE Transport 2007.
    I create Exchange 2013 edge subscription over Exchange 2013 in other adsite but all email that i send to Internet exit by exchange 2007 subscription.
    If i change scope to new send connector to internet generated by edge subscription the messages follow exit by the old edge connector to internet.
    Regards.

  22. Evandro Semedo

    Paul,

    How to configure a FQDN for each edge transport?

    Example: Get-SendConnector “EdgeSync – Default-First-Site-Name to Internet” | Set-SendConnector -Fqdn smtphost1.domain.com.br

    tks.

  23. Deepak

    Shouldnt I import these subscriptions to the servers with CAS roles?
    I had imported these to the ones with MBX only roles and ended up having large queues and a DNS query issue as posted earlier by Yassine.

    Regards,
    Deepak

    1. Avatar photo

      Edge servers are subscribed to an AD site, not to a server. When you subscribe the Edge server to the site all of the Transport (MBX for 2013, HT for 2010) in the site can/will use that Edge server for in/out email.

      If you’re having inbound mail queueing on the Edge server it could be an SMTP connectivity issue from the Edge to your internal servers, or a DNS issue (the Edge needs to be able to resolve the internal servers by name).

  24. Yassine

    Hi Paul,

    After confguring a new Edge server I got problem with the Incoming email, every external email got stuck on the edge server and in the queue I notice the error “DNS Query faild with error Error retry”.
    Any idea where can the problem be?

  25. sony

    Do I have to run

    “New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:AdminEdge.xml” -Encoding Byte -ReadCount 0)) -Site “DataCenter1” on ALL my MAIL SERVERS? I only ran this to first mailbox server

    I have one Edge server and Two mailbox/CAS servers(DAG) and it was working fine until I switched over to second mailbox server in DAG.

    1. Avatar photo

      When you run it (once) it sets up the subscription for the Edge server to the AD Site, including all transport (Mailbox) servers in that site *at the time*. If you add a new Mailbox server later, the subscription needs to be recreated.

      You also need to make sure the firewall ports between the Edge and the internal servers are open for all servers.

  26. Mark Joseph

    Hi Paul,

    We’re currently in the design phase of our O365 migration. One challenge we are encountering is setting up our hybrid environment.
    Here is our situation:
    * We have 3 CAS servers and 4 Mailbox servers on-premise (internal network).
    * Our CAS servers are load-balanced using ADC (located in perimeter network).
    * We also have IP-based firewall installed in our environment.
    * We don’t want to expose our CAS and Mailbox servers to the internet, so we’re thinking of using EDGE Transport server.
    Questions:
    1) Can we still enable Rich Coexistence with just EDGE?
    2) We’ve read an issue regarding mailbox migration with ADC/network load balancer, can we just use EDGE for the mailbox migration so that we don’t have to worry about possible mailbox lockout in our ADC or migration time-out?

      1. Mark Joseph

        Thanks Paul,

        Does this mean that we really have to allow inbound/outbound traffic from exchange online to our CAS/MBX servers directly for mailbox moves and rich co-existence?

        We publish our mail via the ADC.

  27. selvakumar

    hi everyone,

    I have installed Exchange 2013 CAS /Mailbox on the 2 servers (Each server has 2 roles ) and one edge server .

    Shall I create HA for CAS by Windows NLB and DAG on this environments ?

    Note: Exchange server 2013 CU 3 ,Which are running on windows 2012 R2 Hyper-V host machine .

  28. vic hindocha

    Hey Paul –
    I have a pre-existing Edge 2010 server in my environment. I have just upgraded to Exchange 2013; I would like to upgrade from Edge 2010 to Edge 2013; I have read you posts, which i found extremely helpful, however, I doesn’t mention anything about upgrading from Edge 2010 to Exchange 2013.

    My questions are as follows:

    1) When i create a New-EdgeSubscription will this script also copy over the configurations from Edge 2010 over to Edge 2013?
    2) How to i make Edge 2013 the “primary edge server”?

    I want to avoid create a New-EdgeSubscription and then it become production automatically without any configurations done.

    Thanks in advance
    Vic

    1. vic

      Any advise on this?

  29. Otto Melzig

    We have 2 sites with about 70 users each – Port Moresby and Lae. The sites have very limited bandwidth between each other but both have good bandwidth to a third site Sydney, which is connected to the internet at high speed. There are no mailbox users in Sydney.

    We want to have a setup where all inbound mail from the internet goes to Sydney first and is then delivered to either Lae or Port Moresby.

    But since an edge transport server can only service one site it seems we will need to deploy a FULL exchange client access and mailbox server in Sydney and then route all email to this first.

    Is there any other way of achieving the desired result?

    1. Maxim Grishin

      You don’t need a *mailbox* server in Sydney, but rather a *hub transport* server, so less storage will be required. But yes, a server in Sydney is needed if you want to route messages through Sydney. You can use a hub transport server acting as receiver in place of an edge transport server, although this approach is less secure than using an edge transport server.

  30. Tom

    Hi,

    I have a DAG setup in which each of the participating mailbox servers are in different Active Directory sites, a total of 5 AD sites.

    I am planning to introduce Edge Servers as well.

    Do I need to install 5 Edge Servers in each of these sites and make subscriptions to each of the mailbox servers in the respective sites?

    Or, can I deploy 2 Edge Servers in DMZ and make individual subscriptions to each of the mailbox servers in each site?

    Please let me know if any one has any prior experience with multi-site Exchange setup..

    SiteA – EXMB1
    SiteB – EXMB2
    SiteC- EXMB3
    SiteD – EXMB4
    SiteE – EXMB5

    1. Avatar photo

      Opening paragraph of the article says:

      “An Edge Subscription subscribes an Exchange Server 2013 Edge Transport server to an Active Directory site. This automatically creates the required connectors for internet mail flow to occur inbound and outbound via the Edge Transport server and the Mailbox servers in that Active Directory site.”

      The subscription is between an Edge server and a *site*, not to individual Mailbox servers.

      Only one Edge subscription can be created per Edge server, but multiple Edge subscriptions can be created per site. So yes you can have multiple Edge servers subscribed to the same site.

      Does that make sense?

  31. Chris

    hello

    do you have any recommendation for Forefront pretection for Exchange 2010 to install
    on Exchange 2013 edge Server?
    is there any product for spam etc for Exchange 2013 edge Server?

    thank you
    chris

Leave a Reply