in the Exchange 2007 or 2010’s product help or online technet library, Microsoft declaimed that EDGE role should installed on a standalone workstation for a higher security. But why people always think that edge can not installed on a domain member server? even today, i get a answer from an exchange 2010 training from MS : can not install edge on a domain member server, if you start a install process, an error will show up to your face, very red and big! So i just setup a demo and then prove IT IS WRONG!here is a exchange 2007 example:
and also this:
one is standalone server and one is the new installed on a domain member. It is approved that ” if never test, do not say it is impossible.”
So someone may asked that why MS recommend deploy a edge role on an standalone workstation.
1-it is not need to installed edge on a domain joined server.
edge do not need any authenticate incoming client except local logon request. Edge is designed to work on an standalone workstation.
2- higher security
edge can be shutdown anytime without effect other function of internal mailfolw. for external mailflow, use a dns round-robin, the shut down edge can be avoid to communicate with outside servers. and even the edge is controlled by external hacker, he can not do anything that effect internal users.
but wait! those words are just from MS. you should noticed that by default, edge receive connector still with big issue: spoofing mail as your authoritative domain can be reached your internal users and internal users can send anonymous mail to anyone they like. This part should be considered to use a cmdlet as i metioned before to remove a anonymous permission.
pain-point
administrators have to logon to each edge server to get the information on the server
administrators can not change all edge server settings from one place just like the domain joined CAS-hub-mbx?
the configuration in SCOM SCCM and exchange MP can help me but it is more complicated for administrators.
Cristiano Roma
July 28, 2011 at 08:59
You are correct! THe Edge Transport Role can be installed on a domain member, but the cmdlets from Exchange M SHell doesn´t have enabled the common admin commands like get-mailbox, get-clientaccess and so on. I don´t know if this is good or bad.
xunyangit
August 1, 2011 at 20:41
this is by design. the edge role is not for ad object management.