How to Configure Edge Transport Server for Email on Windows Server 2016

May 1, 2026
Tutorials
Comment off

Introduction

Windows Server 2016 includes an optional Edge Transport server role as part of the Exchange Server infrastructure. An Edge Transport server sits in the perimeter network (DMZ), handling all inbound and outbound Internet email to shield internal Exchange servers from direct Internet exposure. It performs anti-spam filtering, recipient validation, connection filtering, and policy enforcement at the network edge. This guide walks through deploying and configuring an Edge Transport server, subscribing it to your Exchange organisation, and tuning it for production email flow.

Prerequisites

Before deploying Edge Transport, verify the environment meets Exchange requirements:

# Check Windows Server 2016 version
[System.Environment]::OSVersion.Version

# Verify .NET Framework 4.7.2+
(Get-ItemProperty 'HKLM:SOFTWAREMicrosoftNET Framework SetupNDPv4Full').Release

# Check available RAM (minimum 4 GB for lab, 8 GB+ for production)
(Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB

# Confirm the server is NOT domain-joined (Edge Transport requires workgroup)
(Get-WmiObject Win32_ComputerSystem).PartOfDomain

Installing Required Windows Features

Edge Transport has specific Windows feature dependencies that must be installed before the Exchange prerequisite script runs:

Install-WindowsFeature ADLDS
Install-WindowsFeature `
    NET-Framework-45-Features,
    RPC-over-HTTP-proxy,
    RSAT-Clustering,
    RSAT-Clustering-CmdInterface,
    Web-Mgmt-Console,
    WAS-Process-Model,
    Web-Asp-Net45,
    Web-Basic-Auth,
    Web-Client-Auth,
    Web-Digest-Auth,
    Web-Dir-Browsing,
    Web-Dyn-Compression,
    Web-Http-Errors,
    Web-Http-Logging,
    Web-Http-Redirect,
    Web-Http-Tracing,
    Web-ISAPI-Ext,
    Web-ISAPI-Filter,
    Web-Lgcy-Mgmt-Console,
    Web-Metabase,
    Web-Mgmt-Console,
    Web-Mgmt-Service,
    Web-Net-Ext45,
    Web-Request-Monitor,
    Web-Server,
    Web-Stat-Compression,
    Web-Static-Content,
    Web-Windows-Auth,
    Web-WMI,
    Windows-Identity-Foundation

Installing Exchange Edge Transport Role

Run the Exchange Server setup in unattended mode to install only the Edge Transport role:

$ExchangeISO = 'D:'   # Mount Exchange Server ISO first

# Install Exchange prerequisites
& "$ExchangeISOSetup.exe" /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF `
    /PrepareAD /OrganizationName:"ContosoOrg"

# Install Edge Transport role only
& "$ExchangeISOSetup.exe" /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF `
    /Mode:Install /Role:EdgeTransport /MdbName:"EdgeDB" `
    /InstallWindowsComponents /InstallPath:"C:Exchange"

# Verify installation
Get-Service MSExchange* | Select-Object Name,Status,StartType

Creating the Edge Subscription

The Edge Subscription synchronises configuration data from Active Directory to the Edge server via EdgeSync. Generate the subscription file on the Edge server, then import it on the Hub/Mailbox server:

# Run on the Edge Transport server
New-EdgeSubscription -FileName "C:EdgeSubscription.xml" -Site "Default-First-Site-Name"

# Copy EdgeSubscription.xml to internal Exchange server, then run:
# Run on the internal Exchange/Mailbox server
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:EdgeSubscription.xml" `
    -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

# Start immediate EdgeSync
Start-EdgeSynchronization -Server 'EDGE01'
Test-EdgeSynchronization -Server 'EDGE01'

Configuring Send and Receive Connectors

Edge Transport automatically creates Internet Send and Receive connectors during EdgeSync. Verify and tune them:

# Check connectors on Edge server
Get-ReceiveConnector | Select-Object Name,Bindings,RemoteIPRanges,MaxMessageSize
Get-SendConnector | Select-Object Name,AddressSpaces,SmartHosts,Enabled

# Adjust maximum message size (50 MB)
Set-ReceiveConnector 'Default internal receive connector EDGE01' -MaxMessageSize 50MB
Set-SendConnector 'EdgeSync - Inbound to Contoso' -MaxMessageSize 50MB

# Restrict inbound SMTP to known IP ranges (example)
Set-ReceiveConnector 'Default EDGE01' -RemoteIPRanges '0.0.0.0-255.255.255.255'

Configuring Anti-Spam Filters

Enable and tune the built-in anti-spam agents on the Edge Transport server:

# Enable all anti-spam agents
Enable-AntispamUpdates

# Configure connection filtering (block known bad IPs)
Add-IPBlockListEntry -IPAddress '192.0.2.1'
Add-IPAllowListEntry -IPAddress '203.0.113.0/24'

# Configure content filter SCL thresholds
Set-ContentFilterConfig -SCLDeleteThreshold 9 -SCLRejectThreshold 7 -SCLQuarantineThreshold 5

# Configure sender reputation
Set-SenderReputationConfig -SenderBlockingEnabled $true -SenderBlockingPeriod 24

# View spam statistics
Get-AgentLog -StartDate (Get-Date).AddDays(-7) |
    Where-Object {$_.Reason -like '*spam*'} |
    Group-Object Reason | Sort-Object Count -Descending

Configuring TLS for SMTP

Enable opportunistic TLS on inbound and outbound connectors for encrypted email transport:

# Enable TLS on receive connector
Set-ReceiveConnector 'Default EDGE01' -RequireTLS $false -EnableAuthGSSAPI $false
# Import your public SSL certificate
$cert = Get-ExchangeCertificate | Where-Object {$_.Subject -like '*mail.contoso.com*'}
Enable-ExchangeCertificate -Thumbprint $cert.Thumbprint -Services SMTP

# Enable Domain Security (mutual TLS) for specific domains
Set-TransportConfig -TLSSendDomainSecureList @{Add='partner.com'}
Set-TransportConfig -TLSReceiveDomainSecureList @{Add='partner.com'}

Testing and Monitoring Mail Flow

Validate that email flows correctly through the Edge Transport server:

# Test SMTP connectivity from command line
Test-SmtpConnectivity -TargetMailboxServer 'MAILBOX01'

# Check mail queue health
Get-Queue | Select-Object Identity,Status,MessageCount,NextHopDomain
Get-Message -Queue 'EDGE01Submission' | Select-Object Subject,From,To,Status

# View transport pipeline events in real time
Get-TransportPipeline | Select-Object SmtpEvent,TransportAgents

# Review Edge Transport event logs
Get-EventLog -LogName Application -Source '*MSExchange*' -Newest 50 |
    Select-Object TimeGenerated,EntryType,Message | Format-List

Summary

Deploying an Edge Transport server on Windows Server 2016 provides a hardened SMTP gateway that keeps internal Exchange servers off the Internet. The EdgeSync subscription mechanism keeps anti-spam and routing configuration synchronised automatically, while built-in anti-spam agents, connection filtering, and TLS encryption ensure that email arriving at your organisation is safe and authenticated. Regular monitoring of mail queues, agent logs, and event logs keeps the system running reliably in production.