How to Configure Edge Transport Server for Email on Windows Server 2025
The Exchange Edge Transport Server role provides a security-hardened mail gateway that sits in your organization’s perimeter network (DMZ), acting as the first and last point of contact for all inbound and outbound internet email. Unlike mailbox servers that live inside the corporate network, the Edge Transport server is intentionally not domain-joined — it has no access to Active Directory and communicates with internal Exchange Mailbox servers only through a secure, one-way synchronization mechanism called EdgeSync. This architecture means that even if an Edge Transport server is compromised, attackers gain no foothold into your internal AD environment. On Windows Server 2025, Edge Transport can be configured with modern anti-spam agents, transport rules, and connector policies that give your organization sophisticated email hygiene without requiring a third-party cloud gateway. This guide walks through the full deployment from prerequisites through log review.
Prerequisites
- Windows Server 2025 (Standard or Datacenter) in the DMZ — not domain-joined
- A separate internal Windows Server 2025 running the Exchange Mailbox Server role (domain-joined)
- Exchange Server 2019 CU14 or later (current release as of 2025) — Edge Transport version must match internal
- Static IP address on the Edge server, with MX record pointing to it
- TCP port 25 open inbound from the internet; TCP port 50636 (EdgeSync LDAP over SSL) open between Edge and Mailbox servers
- Valid TLS certificate on the Edge server (at minimum a self-signed; ideally a public CA certificate for SMTP STARTTLS)
- Exchange prerequisites: .NET Framework 4.8, Visual C++ 2012/2013 redistributables, Windows features installed
Step 1 — Install Exchange Prerequisites on the Edge Server
The Edge Transport server requires the same Windows prerequisite features as other Exchange roles, though as a standalone (non-domain-joined) server the setup script handles most of this automatically.
# On the Edge Transport server (Windows Server 2025, workgroup member)
# Install required Windows features
Install-WindowsFeature ADLDS, Web-Server, Web-Asp-Net45, Web-ISAPI-Ext, `
Web-ISAPI-Filter, Web-Net-Ext45, Web-Log-Libraries, Web-Request-Monitor, `
Web-Http-Tracing, Web-Static-Content, Web-Default-Doc, Web-Dir-Browsing, `
Web-Http-Errors, Web-Http-Redirect, Web-CGI, Web-Health, Web-Basic-Auth, `
Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-IP-Security, `
Web-Url-Auth, Web-Scripting-Tools, Web-Mgmt-Compat, Web-Metabase, `
NET-Framework-45-ASPNET, RPC-over-HTTP-proxy, `
Server-Media-Foundation, RSAT-Clustering, RSAT-Clustering-CmdInterface, `
WAS-Process-Model, WAS-Config-APIs -Restart
# Install Visual C++ redistributables (download from Microsoft first)
Start-Process "C:Prereqsvcredist_x64_2012.exe" -ArgumentList "/install /passive /norestart" -Wait
Start-Process "C:Prereqsvcredist_x64_2013.exe" -ArgumentList "/install /passive /norestart" -Wait
Step 2 — Install the Exchange Edge Transport Role
# Mount or extract the Exchange Server 2019 ISO
# Run the unattended setup for Edge Transport role only
C:ExchangeSetupSetup.exe `
/Mode:Install `
/Role:EdgeTransport `
/IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF
# Setup runs for 15–30 minutes. Verify successful installation:
Get-ExchangeDiagnosticInfo -Process EdgeTransport -Component VariantConfiguration
# Check that Exchange services are running
Get-Service MSExchange*, ADAM_MSExchange* | Select-Object Name, Status, StartType
Step 3 — Generate and Export the EdgeSync Subscription
EdgeSync uses a pull-replication model: the Edge server exports a subscription XML file that you import on the internal Mailbox server. The Mailbox server then pushes AD recipient data to the Edge’s Active Directory Lightweight Directory Services (AD LDS) instance over TLS on port 50636. The Edge never connects inbound to AD — the trust is entirely outbound from Mailbox to Edge.
# --- Run on the EDGE TRANSPORT server ---
# Open Exchange Management Shell (EMS) on Edge
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn -ErrorAction SilentlyContinue
# Export the Edge Subscription file
New-EdgeSubscription `
-FileName "C:EdgeSubscriptionEdgeSubscription.xml" `
-Force
# The file contains a shared secret valid for 1440 minutes (24 hours)
# Securely copy EdgeSubscription.xml to the internal Mailbox server
# --- Run on the INTERNAL MAILBOX server (domain-joined) ---
# In Exchange Management Shell on the Mailbox server
New-EdgeSubscription `
-FileData ([System.IO.File]::ReadAllBytes("C:EdgeSubscriptionEdgeSubscription.xml")) `
-Site "Default-First-Site-Name" `
-CreateInternetSendConnector $true `
-CreateInboundSendConnector $true
# Start EdgeSync to replicate AD data to Edge LDS
Start-EdgeSynchronization -Server "MAILBOX01"
# Verify synchronization status
Test-EdgeSynchronization -Server "MAILBOX01" -FullCompare
Step 4 — Configure Edge Transport Rules
Transport rules on Edge allow you to inspect, modify, or block messages based on sender, recipient, subject, attachment type, message size, and other attributes — before the message ever reaches your internal mail infrastructure.
# --- Run on Edge Transport server in EMS ---
# Rule 1: Block executable attachments
New-TransportRule -Name "Block Executable Attachments" `
-AttachmentHasExecutableContent $true `
-RejectMessageReasonText "Executable attachments are not permitted." `
-RejectMessageEnhancedStatusCode "5.7.1" `
-Enabled $true `
-Priority 1
# Rule 2: Block messages with dangerous file extensions
New-TransportRule -Name "Block Dangerous Extensions" `
-AttachmentNameMatchesPatterns "*.exe", "*.ps1", "*.vbs", "*.bat", "*.cmd", "*.msi", "*.reg" `
-RejectMessageReasonText "Attachment type not permitted by security policy." `
-RejectMessageEnhancedStatusCode "5.7.1" `
-Enabled $true `
-Priority 2
# Rule 3: Add legal disclaimer to all outbound messages
New-TransportRule -Name "Outbound Legal Disclaimer" `
-SentToScope NotInOrganization `
-ApplyHtmlDisclaimerText "This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed.
" `
-ApplyHtmlDisclaimerFallbackAction Wrap `
-ApplyHtmlDisclaimerLocation Append `
-Enabled $true
# Rule 4: Block large messages from unknown senders
New-TransportRule -Name "Size Limit for External Senders" `
-FromScope NotInOrganization `
-MessageSizeOver 25MB `
-RejectMessageReasonText "Message size exceeds the permitted limit." `
-RejectMessageEnhancedStatusCode "5.3.4" `
-Enabled $true
Step 5 — Configure Send and Receive Connectors
# Receive Connector — accept inbound SMTP from the internet
# (EdgeSync creates a default one; customize it for tighter control)
Set-ReceiveConnector -Identity "EDGESERVERDefault internal receive connector EDGESERVER" `
-MaxMessageSize 30MB `
-ConnectionTimeout 00:10:00 `
-RequireTLS $false # set $true if requiring STARTTLS from all senders
# Create a dedicated receive connector for a specific trusted relay
New-ReceiveConnector -Name "Trusted Relay Inbound" `
-Server "EDGESERVER" `
-TransportRole FrontendTransport `
-Bindings "0.0.0.0:25" `
-RemoteIPRanges "203.0.113.0/24" ` # replace with partner IP range
-AuthMechanism ExternalAuthoritative `
-PermissionGroups ExchangeServers
# Send Connector — deliver outbound mail to internet (created by EdgeSync)
# Verify it exists and configure smart host if needed
Get-SendConnector | Select-Object Name, Enabled, SmartHosts, AddressSpaces
Set-SendConnector -Identity "EdgeSync - Inbound to Contoso.com" `
-SmartHosts "smtp.relay.provider.com" `
-SmartHostAuthMechanism BasicAuthRequireTLS `
-AuthenticationCredential (Get-Credential) `
-Enabled $true
Step 6 — Configure Anti-Spam Agents
Exchange Edge ships with a suite of built-in anti-spam agents that are enabled by default. Fine-tuning their thresholds dramatically reduces false positives and negatives.
# Check which anti-spam agents are enabled
Get-TransportAgent | Where-Object { $_.Enabled } | Select-Object Name, Priority
# Content Filter — set SCL thresholds
Set-ContentFilterConfig `
-SCLDeleteThreshold 9 `
-SCLRejectThreshold 7 `
-SCLJunkThreshold 5 `
-SCLQuarantineThreshold 6 `
-Enabled $true
# Sender Reputation — block IPs with high spam reputation score
Set-SenderReputationConfig `
-SenderBlockingEnabled $true `
-SrlBlockThreshold 7 `
-SenderBlockingPeriod 24
# Recipient Filter — reject mail to non-existent recipients
Set-RecipientFilterConfig `
-RecipientValidationEnabled $true `
-Enabled $true
# Connection Filter — configure IP allow/block lists
Set-IPBlockListConfig -Enabled $true
Add-IPBlockListEntry -IPAddress "192.0.2.100" # example known spam source
Add-IPAllowListEntry -IPAddress "203.0.113.50" # example trusted partner
# Sender ID — verify SPF alignment
Set-SenderIdConfig `
-SpoofedDomainAction StampStatus `
-TempErrorAction StampStatus `
-Enabled $true
# View current content filter statistics
Get-ContentFilterConfig | Select-Object Enabled, SCL*
Step 7 — Review Edge Transport Logs
# SMTP protocol logs location
Get-TransportService | Select-Object Name, ReceiveProtocolLogPath, SendProtocolLogPath
# View recent message tracking events
Get-MessageTrackingLog `
-Start (Get-Date).AddHours(-4) `
-EventId "RECEIVE" `
-ResultSize 50 |
Select-Object Timestamp, Sender, Recipients, MessageSubject, Source
# Review anti-spam action log (spam quarantine folder)
Get-MessageTrackingLog `
-Start (Get-Date).AddDays(-1) `
-EventId "SPAMFILTERED" |
Select-Object Timestamp, Sender, Recipients, MessageSubject
# Check agent logs for content filter decisions
$AgentLogPath = (Get-TransportService).AgentLogPath
Get-ChildItem $AgentLogPath -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 5
# Parse the most recent agent log for rejections
Get-Content (Get-ChildItem $AgentLogPath | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName |
Where-Object { $_ -match "reject|block|delete" } |
Select-Object -Last 20
Conclusion
Deploying an Exchange Edge Transport Server on Windows Server 2025 gives your organization a dedicated, security-hardened email perimeter that keeps spam, malware, and unwanted senders away from your internal mail infrastructure. The non-domain-joined posture of the Edge role limits lateral movement risk, while EdgeSync ensures your recipient validation data stays current without exposing Active Directory to the DMZ. By combining tight transport rules, calibrated anti-spam agent thresholds, and proper connector configuration, you can achieve enterprise-grade email hygiene on-premises — with full visibility through the message tracking and agent log systems. Regular log reviews and threshold adjustments based on observed traffic patterns will keep your email environment clean and performant over time.
