Step 1: How an Edge Transport server works

Learn how an Edge Transport server works to secure your email environment and how it communicates with Windows Active Directory and other Exchange 2007 server roles.

Because an Edge Transport server sits at your network perimeter, It is the one server in an Exchange Server 2007 organization that is exposed to the outside world (although this server should still be protected by a firewall).

In Exchange Server 2003, the NNTP and SMTP services have to be installed before you're allowed to install Exchange Server. These services are no longer required in Exchange Server 2007.

The pre-installation checks will actually fail if NNTP is installed on Exchange Server 2007, because it does not support the NNTP service. Likewise, the Exchange 2007 Setup wizard also checks to make sure that the SMTP service is not installed.

The SMTP service is forbidden because it is actually an Internet Information Services (IIS) component. Fearing that IIS might be vulnerable to attack, the Exchange Server development team completely rewrote the SMTP service using managed code. The new and improved SMTP service gets installed as a part of Exchange Server 2007.

The relationship between an Edge Transport server and Active Directory

Microsoft has also made some changes to Exchange Server's dependency on Active Directory. Exchange Server 2007 requires access to Active Directory, but the Edge Transport server role is an exception.

It would be a huge security risk to give a perimeter server read and write access to Active Directory. So an Edge Transport server uses Active Directory Application Mode (ADAM) instead.

What this means is that critical portions of Active Directory are copied to an Active Directory partition that resides on the Edge Transport server. Consequently, the server has the necessary configuration information -- but you eliminate the risk of exposing sensitive Active Directory data.

Edge Transport Server server role rules

Microsoft created the concept of server roles in Exchange 2007 as a way of making the newest Exchange version more modular. Various roles can be combined on a machine so Exchange Server can perform its required tasks without unnecessary overhead or security risks that could potentially be introduced by running unnecessary code.

Normally, a single Exchange 2007 server can host multiple server roles -- an Edge Transport server is again the exception. Because an Edge Transport server needs to be hardened (and because it doesn't have direct access to Active Directory), no other Exchange 2007 server roles can be run on the same machine.


 Home: Introduction
 Step 1: How an Edge Transport server works
 Step 2: Install the Edge Transport server
 Step 3: Create an Edge Subscription
 Step 4: Replicate Active Directory data to the Edge Transport server
 Step 5: Verify communication with the Hub Transport server
 Step 6: Configure Edge Transport server email filtering agents
 Step 7: Set up Edge Transport server advanced content-filtering features

Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at

Dig Deeper on Exchange Server setup and troubleshooting