This is a new Exchange 2010 installation and a new AD. Exchange 2010 works with Outlook inside my firewalls. I am trying to install an Edge server in my DMZ to migrate my current email solution fully to Exchange. The Edge server is installed in the DMZ. The Edge server is reachable by ping, resolves with my internal DNS (hosted on the AD box), and I can RDP to the Edge server. I have a linux box also in the DMZ. Using the linux box and the command "nmap -P0 -O 10.1.2.39" I am not able to find any open ports on the Exchange server. I have the firewall between my internal network and the DMZ down for this test. I have stopped the firewall on the Exchange server. Why are the ports not accessible from the DMZ? 10.1.2.0/24 internal network 192.168.200.0/24 DMZ Exchange 2010 HT, CAS, etc on internal network (the same box) Exchange Edge Server 2010 in DMZ Mike

Can you telnet the Hub server on Port 25 from any other server or PC on your network i.e. not in the DMZ? If you telnet from the Edge to the hub on port 25 does it just fail or does it connect briefly first?

I can telnet to the Hub from any box in the internal network just fine. I have the internal mail server, that I'm replacing, forwarding messages to Exchange. That part is working fine. I can also telnet from the linux box in the DMZ to the Edge server in the DMZ. I cannot telnet from either linux box or Edge server in the DMZ to the Hub in the internal network. I have the firewall down between DMZ and internal network. I just tried again from DMZ to Hub on port 25 and got a "connection refused". I'm trying again from DMZ to Hub on port 80 and am getting a time out. Mike

Is the receive connector on the Hub configured to only accept traffic from certain networks?

I see a tab for "Send Connectors". I see no tab for "Receive Connectors". Remote Domains: * Accepted Domains: seven domains owned by this company Email Address Policy: Default Transport Rules: (none) Journal Rules: (none) Send Connectors: Default, Edgesync - Inbound to Company-AD, Edgesync - Company-AD to Internet Edge Subscriptions: the name of the Edge server, true, company.com/Configuration/Sites/Company-AD Global Settings: Transport Settings For the two Edgesync connections I have the name of the Hub server and not the name of the Edge server in the FQDN. I don't think I've changed anything else since accepting the xml file from the Edge server. Mike

My apologies. I'm new to the Microsoft world. I have two receive connectors: Default: General: verbose (just now), hub.company.com, 10240 Network: IPv4:25, IPv6:25, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0 - 255.255.255.255 Authentication: Enable Domain not checked, Externally Secured not checked, the rest checked Permission Groups: all checked except Partners Client hub: General: verbose (just now), hub.company.com, 10240 Network: IPv4:587, IPv6:587, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0 - 255.255.255.255 Authentication: Enable Domain not checked, Exchange Server not checked, Externally Secured not checked, the rest checked Permission Groups: only Exchange Users checked

No worries :) The network line is allowing all IPs so that looks OK. Did the Edgesync process complete OK - no errors?

Steve, Looks like the synchronization is ok. I get this from the Hub server: [PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode RunspaceId : 22b56253-ec95-4cc9-a3d5-d99166fa1146 SyncStatus : Normal UtcNow : 2/1/2012 7:15:11 PM Name : edge LeaseHolder : CN=HUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative G roups,CN=Company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com LeaseType : Option FailureDetail : LeaseExpiryUtc : 2/1/2012 7:43:56 PM LastSynchronizedUtc : 2/1/2012 7:13:56 PM TransportServerStatus : Synchronized TransportConfigStatus : Synchronized AcceptedDomainStatus : Synchronized RemoteDomainStatus : Synchronized SendConnectorStatus : Synchronized MessageClassificationStatus : Synchronized RecipientStatus : Synchronized CredentialRecords : Number of credentials 3 CookieRecords : Number of cookies 2 [PS] C:\Windows\system32>Start-EdgeSynchronization RunspaceId : 22b56253-ec95-4cc9-a3d5-d99166fa1146 Result : Success Type : Recipients Name : edge FailureDetails : StartUTC : 2/1/2012 7:15:28 PM EndUTC : 2/1/2012 7:15:28 PM Added : 0 Deleted : 0 Updated : 0 Scanned : 0 TargetScanned : 0 RunspaceId : 22b56253-ec95-4cc9-a3d5-d99166fa1146 Result : Success Type : Configuration Name : edge FailureDetails : StartUTC : 2/1/2012 7:15:28 PM EndUTC : 2/1/2012 7:15:28 PM Added : 0 Deleted : 0 Updated : 0 Scanned : 0 TargetScanned : 0

OK that looks good. The edge uses port 50636 to synchronise it's directory with AD so the hub can communicate with it on that port. The fact that you are getting a connection refused from the hub on port 25 tells me that you are connecting to that server but the firewall or some other service on that box is interfering. Can you connect to OWA HTTPS (or telnet 443) on the Exchange box from the Edge?

I get a timeout on 443. I have tried turning off the firewall on Hub, but I still cannot connect. Before I realized the Edgesync process would keep Hub and Edge working together, I created my seven domains on Edge. When I realized the sync process was supposed to do this, I deleted four of my domains on Edge. Though the sync process is running I have not seen the other four domains return. Should I delete all Edge domains and resync? Is this a separate topic? Mike

Well 443 is totally separate from SMTP and any kind of edgesync process - if you have no firewall between the edge and hub (or it is down as you said) then effectively these 2 servers are on the same LAN. You should be able to get some response from the server on 443 so I'm guessing that either the firewall on the server isn't off (or there is something wrong with it) or your DMZ firewall is still blocking this traffic.

It's something on the Hub box. On the Hub box I can "telnet 192.168.100.2 22" and get the right response, but "telnet 192.168.100.2 25" hangs. When I .... crap, maybe that's it. I added a custom rule to the firewall to prevent anything from exiting the internal network except messages coming from the current mail server. I need to modify that rule and test again.

Steve, I replied this morning, but I don't see the reply, so I am replying again. I wonder if there will be duplicates. I modified my core router traffic rules. The core router manages the traffic between different security zones. I put some custom rules in place, outside the management interface, to prevent email traffic from being sent except from the email server. We were having some virus issues at the time. A high security zone can send and see anything in a lesser security zone, so Hub can see everything at Edge, but Edge cannot see stuff at Hub unless explicitly allowed. I run the Best Practices Analyzer and it reports that Hub cannot be contacted by Edge. I can telnet to port 25 on each server from the other, so that's open now. I also have port 50636 open from Edge to Hub. What other ports do I need to open? Mike

Regarding the Accepted Domains sync'ing. I find that the domains are not being refreshed automatically on the Edge's Exchange Management Console (EMC). When I stop and restart the EMC, the domains are there. I may need to do a "Start-EdgeSynchronization -ForceFullSync" to make sure the Edge is up to date with the Hub. Mike

Hi Mike Good news, at least you are making progress. The only ports required are 50636 and 25 - perhaps you should delete the edgesync and start again now that the comms are correct. This will also refresh all the domain info including the accepted domains list. Cheers, Steve

On the receive connectors make sure anonymous is enabled. Other wise it will not connect to any server or receive mail from any source it does not trust.