Overview of Exchange Edge Transport Server
The Exchange Edge Transport server role acts as the outermost layer of your on-premises Exchange mail infrastructure. Unlike Hub Transport or Mailbox servers, the Edge Transport server is intentionally deployed in the DMZ (demilitarized zone) or perimeter network and is not domain-joined. This isolation means that if the Edge server is ever compromised, attackers have no direct path into the internal Active Directory domain. The Edge Transport server handles all inbound SMTP connections from the internet, applies anti-spam filtering, performs recipient validation, enforces TLS, and relays clean messages to your internal Mailbox servers. Similarly, outbound email from internal users passes through Edge Transport before leaving the organization.
On Windows Server 2022, the Edge Transport role is typically deployed alongside Exchange Server 2019 (the current supported version), which is fully compatible with Windows Server 2022. The architecture is straightforward: one or more Edge Transport servers in the DMZ subscribe to your internal Exchange organization via a mechanism called EdgeSync, which replicates a read-only subset of Active Directory data — primarily recipient information — to the Edge server’s local Active Directory Lightweight Directory Services (AD LDS) instance.
Edge Transport Prerequisites
Before installing Exchange Edge Transport on Windows Server 2022, ensure the following prerequisites are met. The server must not be domain-joined — it should be a standalone member of a workgroup. Install the required Windows features and the .NET Framework components first:
Install-WindowsFeature ADLDS -IncludeManagementTools
Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDSAlso install the Visual C++ Redistributable 2012 and 2013 packages, plus the Microsoft Unified Communications Managed API 4.0 Core Runtime if your Exchange version requires it. Ensure the server has a static IP address, DNS configured to resolve both internal and external names, and a valid hostname.
Installing Exchange Edge Transport
Mount the Exchange Server 2019 ISO and run Setup.exe from an elevated command prompt. Select the Edge Transport role during installation. Alternatively, use the command-line installer for an unattended deployment:
D:Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /Mode:Install /Role:EdgeTransport /MdbName:EdgeMDB /DbFilePath:"C:ExchangeDataEdgeMDB.edb"The setup will configure AD LDS, install the Exchange transport service, configure anti-spam agents, and register the Windows services. After setup completes, open the Exchange Management Shell (EMS) on the Edge server to verify the installation:
Get-TransportService | Select-Object Name, State
Get-AntiSpamUpdatesCreating the EdgeSync Subscription
EdgeSync allows the internal Exchange organization to replicate recipient data and configuration to the Edge Transport server. This replication is one-way: data flows from internal Exchange to Edge, never in the reverse direction. The process involves generating a subscription XML file on the Edge server, then importing it on the internal Mailbox server.
On the Edge Transport server, run:
New-EdgeSubscription -FileName "C:EdgeSubscription.xml"Copy the resulting EdgeSubscription.xml file to an internal Exchange Mailbox server (use a secure transfer method — USB or encrypted copy). On the internal Mailbox server, import the subscription file to associate the Edge server with an Active Directory site:
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:EdgeSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"Trigger an immediate synchronization to validate connectivity:
Start-EdgeSynchronizationVerify the synchronization status:
Test-EdgeSynchronization -VerifyRecipient [email protected]EdgeSync runs on a scheduled basis (approximately every hour) but you can force it any time with Start-EdgeSynchronization. The replicated data includes accepted domains, remote domains, safe sender lists, blocked sender lists, and recipient data used for recipient filtering.
Configuring Send Connectors and Receive Connectors
The EdgeSync process automatically creates a Send Connector on the internal Hub/Mailbox servers that routes outbound email through the Edge Transport server. However, verify the connector configuration is correct:
Get-SendConnector | Where-Object {$_.SourceTransportServers -like "*Edge*"} | Select-Object Name, AddressSpaces, SmartHosts, SourceTransportServersFor inbound email, the Edge server has a default Receive Connector that accepts connections from the internet on port 25. Review it:
Get-ReceiveConnector -Server EDGE01 | Select-Object Name, Bindings, RemoteIPRanges, AuthMechanism, PermissionGroupsTo restrict inbound relay to specific IP ranges (for example, a legitimate relay partner), modify the RemoteIPRanges and create a dedicated connector:
New-ReceiveConnector -Name "Partner Relay" `
-Server EDGE01 `
-TransportRole FrontendTransport `
-Custom `
-Bindings "0.0.0.0:25" `
-RemoteIPRanges "203.0.113.0/24" `
-AuthMechanism TLS `
-PermissionGroups ExchangeServersConfiguring Anti-Spam Agents
The Edge Transport server ships with several built-in anti-spam agents. Each can be enabled, disabled, and tuned independently. Check which agents are currently active:
Get-TransportAgent | Select-Object Name, Enabled, PriorityConnection Filtering blocks connections from known-bad IP addresses based on IP Block Lists and IP Allow Lists, as well as external Block List providers (DNSBLs):
Set-IPBlockListConfig -Enabled $true
Add-IPBlockListEntry -IPAddress 192.0.2.50
Add-IPBlockListProvider -Name "Spamhaus-ZEN" -LookupDomain "zen.spamhaus.org" -AnyMatch $true -BitmaskMatch 0x0000007F -RejectionResponse "550 5.7.1 Your IP is listed in a DNS block list"Sender Filtering rejects messages from specific senders or domains:
Set-SenderFilterConfig -Enabled $true -BlankSenderBlockingEnabled $true
Add-SenderFilterEntry -Sender "@spammydomain.com" -SenderFilterEntry BlockedSenderRecipient Filtering rejects messages to recipients not in your organization, preventing directory harvest attacks:
Set-RecipientFilterConfig -Enabled $true -RecipientValidationEnabled $true -BlockedRecipients @()Content Filtering assigns a Spam Confidence Level (SCL) to messages based on their content. Messages with a high SCL are rejected, quarantined, or redirected:
Set-ContentFilterConfig -Enabled $true `
-SCLDeleteThreshold 9 `
-SCLRejectThreshold 7 `
-SCLQuarantineThreshold 5 `
-QuarantineMailbox "[email protected]" `
-RejectionResponse "550 5.7.1 Message rejected due to content filtering"Configuring TLS for SMTP Relay
Enforcing TLS on SMTP connections ensures email in transit is encrypted. First, obtain or create a certificate for the Edge server. The certificate’s common name must match the Edge server’s SMTP FQDN:
# Request a certificate from an internal CA or use a public certificate
# To create a self-signed cert for testing:
$cert = New-ExchangeCertificate `
-GenerateRequest `
-FriendlyName "Edge Transport TLS" `
-SubjectName "CN=edge01.contoso.com" `
-DomainName "edge01.contoso.com","mail.contoso.com" `
-PrivateKeyExportable $trueAfter installing the certificate, assign it to the SMTP service:
$thumbprint = (Get-ExchangeCertificate | Where-Object {$_.Subject -like "*edge01*"}).Thumbprint
Enable-ExchangeCertificate -Thumbprint $thumbprint -Services SMTP -ForceEnforce TLS on the inbound Receive Connector for all partner connections:
Set-ReceiveConnector -Identity "EDGE01Default Frontend EDGE01" `
-RequireTLS $false `
-EnableAuthGSSAPI $false `
-TlsCertificateName "CN=contoso-CACN=edge01.contoso.com"Testing Mail Flow
Use the Test-Mailflow cmdlet from an internal Exchange server to verify end-to-end mail flow through the Edge Transport server:
Test-Mailflow -AutoDiscoverTargetEmailAddress "[email protected]" -ErrorAction SilentlyContinue | Select-Object TestMailflowResult, MessageLatencyTimeYou can also send a test message via Telnet to confirm SMTP connectivity and TLS negotiation manually:
telnet edge01.contoso.com 25
EHLO testclient
STARTTLSReview message tracking logs on the Edge server to audit mail flow:
Get-MessageTrackingLog -Server EDGE01 -Start (Get-Date).AddHours(-1) -EventId RECEIVE | Select-Object Timestamp, Sender, Recipients, MessageSubjectEdge Transport in Microsoft 365 Hybrid Deployments
When deploying Exchange in a hybrid configuration with Microsoft 365, the Edge Transport server can serve as the SMTP relay between your on-premises Exchange organization and Exchange Online. The Hybrid Configuration Wizard (HCW) automates most of this setup, but you should understand what it configures. The HCW creates Send and Receive Connectors on both sides that establish a dedicated TLS-encrypted mail flow path. On the Edge server, a connector is created that routes outbound email to Exchange Online Protection (EOP) rather than directly to the internet. Inbound mail from Microsoft 365 arrives at the Edge server’s MX-pointed IP address and is relayed inward after anti-spam processing. This architecture preserves Edge Transport’s security value even in hybrid configurations.
