How to Configure Edge Transport Server for Email on Windows Server 2019

Overview of Edge Transport Server for Email

An Edge Transport server sits in the DMZ between the internet and your internal Exchange organization. It handles inbound and outbound SMTP, anti-spam filtering, antivirus scanning, address rewriting, and connector configuration without being a domain member, thereby limiting what an attacker gains if the edge server is compromised. On Windows Server 2019, you can run Exchange Server 2019 in Edge Transport role, or configure an SMTP relay using built-in Windows features and IIS SMTP. This guide covers both deployment of Exchange 2019 Edge Transport and the simpler IIS SMTP relay scenario.

Option 1: Exchange Server 2019 Edge Transport Role

Exchange Server 2019 Edge Transport role runs on a workgroup (non-domain) Windows Server 2019 server and uses Active Directory Lightweight Directory Services (AD LDS) to store configuration locally. EdgeSync replicates recipient and configuration data from the internal Exchange organization to the edge server.

Prerequisites for Exchange Edge Transport

# On the Windows Server 2019 Edge Transport server (workgroup, not domain joined)
# Install required Windows features
Install-WindowsFeature -Name AD-LDS -IncludeManagementTools

# Install .NET Framework 4.8
# Download and run: ndp48-x86-x64-allos-enu.exe

# Install Visual C++ Redistributable 2013
# Download and run: vcredist_x64.exe

# Set computer name and static IP
Rename-Computer -NewName 'EDGE-SMTP01' -Restart

New-NetIPAddress -InterfaceAlias 'Ethernet' -IPAddress 203.0.113.10 `
    -PrefixLength 28 -DefaultGateway 203.0.113.1
Set-DnsClientServerAddress -InterfaceAlias 'Ethernet' -ServerAddresses 8.8.8.8, 1.1.1.1

# Set hosts file entries for internal Exchange servers (no AD DNS available in DMZ)
Add-Content 'C:WindowsSystem32driversetchosts' `
    '192.168.1.20  MAIL01.corp.local  MAIL01'

# Open firewall ports
New-NetFirewallRule -DisplayName 'SMTP Inbound'  -Direction Inbound -Protocol TCP -LocalPort 25  -Action Allow
New-NetFirewallRule -DisplayName 'SMTP-TLS'      -Direction Inbound -Protocol TCP -LocalPort 587 -Action Allow
New-NetFirewallRule -DisplayName 'SMTPS'         -Direction Inbound -Protocol TCP -LocalPort 465 -Action Allow

Installing Exchange 2019 Edge Transport Role

# From Exchange 2019 media, unattended installation
.Setup.exe /Mode:Install /Role:EdgeTransport /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF

# Verify installation
Get-ExchangeDiagnosticInfo -Server EDGE-SMTP01 -Process EdgeTransport -Component HealthChecks

# Check EdgeTransport service
Get-Service MSExchangeTransport | Select-Object Name, Status

# Get Edge Transport configuration
Get-TransportService EDGE-SMTP01 | Select-Object Name, InternalDNSServers, ExternalDNSServers, MaxOutboundConnections

Configuring EdgeSync to Replicate from Internal Exchange

EdgeSync pushes recipient data, accepted domains, and safe sender lists from the internal Exchange Mailbox servers to the Edge Transport server using a secure LDAP channel:

# On the INTERNAL Exchange Mailbox server (domain joined), export the Edge subscription XML
# Copy the certificate and create subscription file from the Edge server first:

# On Edge Transport server - create subscription file
New-EdgeSubscription -FileName 'C:EdgeSubscription.xml'

# Copy EdgeSubscription.xml to an internal Exchange Mailbox server, then:
# On internal Mailbox server:
New-EdgeSubscription -FileData ([System.IO.File]::ReadAllBytes('C:EdgeSubscription.xml')) `
    -Site 'Default-First-Site-Name' `
    -CreateInternetSendConnector $true `
    -CreateInboundSendConnector $true

# Start EdgeSync synchronization
Start-EdgeSynchronization

# Check EdgeSync status
Test-EdgeSynchronization -FullCompareMode
Get-EdgeSubscription | Select-Object Name, Site, LastSynchronizedUtc

Configuring Anti-Spam on Exchange Edge Transport

# Enable all anti-spam agents
Enable-AntispamUpdates
Get-TransportAgent | Select-Object Name, Enabled, Priority

# Configure Connection Filtering (block known spam source IPs)
Add-IPBlockListEntry -IPAddress 192.0.2.5 -Comment 'Known spammer'
Add-IPBlockListProvider -Name 'SpamCop' -LookupDomain 'bl.spamcop.net' -AnyMatch $true -Enabled $true

# Configure Content Filtering (spam confidence level)
Set-ContentFilterConfig -Enabled $true `
    -SCLDeleteThreshold 9 `
    -SCLRejectThreshold 7 `
    -SCLJunkThreshold 5 `
    -QuarantineMailbox '[email protected]'

# Configure Recipient Filtering (reject mail to non-existent recipients)
Set-RecipientFilterConfig -Enabled $true -BlockedRecipients @('[email protected]')

# Configure Sender Policy Framework (SPF)
Set-SenderIdConfig -Enabled $true `
    -SpoofedDomainAction Delete `
    -TempErrorAction StampStatus

# Configure DKIM signing (Exchange 2019 supports DKIM natively)
New-DkimSigningConfig -DomainName 'corp.com' -Enabled $true -KeySize 2048
Get-DkimSigningConfig | Select-Object Domain, Enabled, Selector1PublicKey

Option 2: IIS SMTP Service as a Simple Relay

For environments without Exchange Server, the IIS SMTP service on Windows Server 2019 provides a lightweight SMTP relay for applications to send email through Exchange Online or an internal mail server:

# Install IIS SMTP service
Install-WindowsFeature -Name SMTP-Server -IncludeManagementTools

# Start the SMTP service
Start-Service SMTPSVC
Set-Service SMTPSVC -StartupType Automatic

# Configure via IIS 6.0 Manager (IIS SMTP is a legacy component)
# Or configure via the metabase using PowerShell and WMI:

# Get SMTP virtual server configuration
$smtp = [WMIClass]'\localhostrootMicrosoftIISv2:IIsSmtpServerSetting'
$smtpServer = Get-WMIObject -Namespace 'rootMicrosoftIISv2' -Class 'IIsSmtpServerSetting'

# Configure relay restrictions (allow only local server to relay)
# In IIS 6 Manager: SMTP Virtual Server > Properties > Access > Relay
# Allow only: 127.0.0.1 and application server IPs

# Configure smart host (forward all mail to Exchange Online)
# In IIS 6 Manager: SMTP Virtual Server > Properties > Delivery > Advanced
# Smart host: [smtp.office365.com]   (brackets = skip DNS MX lookup)

# Or configure via command line tools:
# These settings are in C:Windowssystem32inetsrvMetaBase.xml
# SmartHost: smtp.office365.com

# Set TLS for smart host connection
# In advanced delivery settings, enable TLS

# Test by sending a message using PowerShell
Send-MailMessage -From '[email protected]' -To '[email protected]' `
    -Subject 'Test from SMTP relay' -Body 'Test message' `
    -SmtpServer localhost -Port 25

Configuring TLS for SMTP

# For Exchange Edge Transport - configure TLS certificate
$cert = Get-ExchangeCertificate | Where-Object { $_.Subject -like '*edge-smtp01*' }
Enable-ExchangeCertificate -Thumbprint $cert.Thumbprint -Services SMTP

# Configure TLS for inbound SMTP (STARTTLS)
Get-ReceiveConnector 'EDGE-SMTP01Default internal receive connector EDGE-SMTP01' |
    Set-ReceiveConnector -RequireTLS $false -EnableAuthGSSAPI $false `
    -AuthMechanism None,TLS

# Force opportunistic TLS on the default internet connector
Get-ReceiveConnector 'EDGE-SMTP01Default Frontend EDGE-SMTP01' |
    Set-ReceiveConnector -EnableAuthGSSAPI $false -AuthMechanism None,TLS

# Configure Send Connector to require TLS to internal Exchange
Get-SendConnector | Set-SendConnector -RequireTLS $true -TlsAuthLevel DomainValidation

Monitoring Mail Flow

# Check message queue status
Get-Queue | Format-Table -AutoSize

# View messages stuck in queue
Get-Message -Queue 'EDGE-SMTP01Submission' | Select-Object Subject, FromAddress, Status

# Check the transport log for delivery failures
Get-MessageTrackingLog -Start (Get-Date).AddHours(-2) -EventId FAIL |
    Select-Object Timestamp, Source, EventId, MessageSubject, RecipientAddress, Reason |
    Format-Table -AutoSize

# Monitor receive logs
Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) -EventId RECEIVE |
    Measure-Object | Select-Object Count

# Test mail flow from Edge to internal
Test-Mailflow -TargetMailboxServer MAIL01

# Check connectivity to smart host
Test-SmtpConnectivity -ListenAddress 203.0.113.10 -Port 25

Conclusion

Deploying Exchange Server 2019 Edge Transport on Windows Server 2019 provides a fully featured perimeter SMTP gateway with anti-spam, SPF/DKIM enforcement, content filtering, and EdgeSync-based recipient validation—all without domain membership. The simpler IIS SMTP relay path serves environments that just need an application-to-Exchange smart host. In either case, enforcing STARTTLS, disabling legacy authentication, and monitoring queues and logs are the critical operational hygiene steps that keep email flowing reliably and securely.