Tuesday, August 10, 2010

Edge Transport Servers and Certificates

First let me say, that I'm not convinced that most organizations require an Edge Transport server for Exchange Server 2007 or Exchange Server 2010. An Edge Transport server is an SMTP relay that sits between your Exchange Server organization and the Internet. The purpose of an Edge server is to isolate Exchange from the Internet and perform anti-spam and anti-virus filtering. Most organizations have another device or service that is already performing this task.

However, if you choose to implement and Edge server, you need to understand that it uses certificates to secure communication between the Edge server and Hub transport server on the internal network. Normally you want certificates to come from a external certification authority so that they are trusted by all computers in the communication process. However, for SMTP between Exchange servers, you can and should use internally generated certificates. This is the default configuration. However, the default certificates expire after 1 year.

The certificate assigned to SMTP for message transport can be (and typically is) different than the certificate you use for SSL on Web services such as OWA. Also, the same certificate cannot be used for SMTP message transport on multiple servers. If the same certificate is used for SMTP message transport on multiple servers, communication will fail with an error indicating LDAP lookup failures (ID 10104 and 1024).

When the certificates are close to their expiry events will be generated in the Application event log warning you. This is the error description: http://technet.microsoft.com/en-us/library/bb217963(EXCHG.80).aspx

The fix for this is easy. On the server that is experiencing the error, in the Exchange Management Shell, run the New-ExchangeCertificate cmdlet and say Yes to overwriting the SMTP certificate. Then restart the ExchangeTransport services for it to take effect immediately.

If you create a new certificate on an Edge server, then you also need to recreate the Edge Subscription. Run the New-EdgeSubscription cmdlet on the Edge server to create an XML configuration file. Then use that XML file to create a new Edge Subscription on the Hub Transport server by using the Exchange Management Console. You can also delete the old Edge Subscription as it is no longer required. To force the new Edge Subscription to start, use the Start-EdgeSynchronization cmdlet. If this fails, try restarting the ExchangeTransport service or reboot the box.

If you know it's coming, it's easy to fix up. If you don't know it's coming, this can result in hours of downtime due to communication failing between Edge Transport server and the internal Exchange organization.

No comments:

Post a Comment