Managing the Edge Transport Server • Chapter 7 447 11. You’ll now need to decide how unspecifi ed services (which basically are services not in the database yet) should be handled. You can choose to leave the startup mode as it is or have the service disabled. We recommend that you select Disable the service and then enable it manually should it be required. When you have decided how you would like unspecifi ed services to be handled, click Next. 12. On the Confi rm Service Chances page, verify that the service confi guration for each service is set as expected, as shown in Figure 7.55 and click Next. Figure 7.55 Confi rming Service Changes 13. You have now reached the Network Security section of the SCW, which is where you’ll confi gure inbound ports using the Windows fi rewall based on the roles and administration options selected on the previous pages. In addition, this is where you can restrict access to ports and indicate whether port traffi c is signed or encrypted using IPSec. It’s very important that you confi gure this portion correctly, since answering the questions 448 Chapter 7 • Managing the Edge Transport Server Figure 7.56 Adding the Respective Ports incorrectly might prevent the edge transport server from communication with the servers it’s required to communicate with. Click Next. 14. On the Open Ports and Approve Applications page, you need to pay special attention. As you read earlier in this chapter, the Edge Transport server will need to replicate data from Active Directory to the local ADAM store at a scheduled set of intervals. Because this is done using LDAP via port 50389 and 50636, you need to add both these ports on this page. To do so, click the Add button shown in Figure 7.56. 15. On the Add Port or Application page, enter 50389 in the port number fi eld, check TCP, and click OK (see Figure 7.57). 16. Repeat Step 15, but enter port 50636 instead. Click OK. Managing the Edge Transport Server • Chapter 7 449 Figure 7.57 Adding the LDAP Port NOTE 50389 and 50636 are default ports used for LDAP communication between Active Directory and ADAM, but if you for some reason should require so, you can change them using the ConfigureAdam.ps1 script located in the scripts directory under C:\Program Files\Microsoft\Exchange. This script invokes the dsdbutil command, which can be used to change the LDAP port, Secure LDAP port, log path, and the path of the directory database. To change the LDAP and Secure LDAP ports used by the Edge Transport server, you would need to open the EMS and navigate to the Scripts folder under the Exchange directory. Here you would need to type Confi gureAdam.ps1 -ldapport:10389 -sslport:10636 and press Enter. This example would change the LDAP ports to 10389 and 10636, respectively. Although you would be able to manually change the port numbers directly using the registry editor, don’t do so, since it will make the ADAM instance unavailable. 17 Select the newly added port 50389 in the list and click the Advanced button. 18. Click the Local Interface Restrictions tab and select Over the following interfaces. Check the network adapter connected to the internal network and click OK. 19. Repeat Steps 17 and 18 for port 50636. 20. Now click Next and confi rm the port confi guration settings. Click Next again. 450 Chapter 7 • Managing the Edge Transport Server Figure 7.58 Security Policy Filename 21. You have now reached the Registry Settings section in the SCW, and since you can skip this section, check Skip this section and click Next. Do the same on the Audit Policy page and click Next. 22. Now that you’re through all the security confi guration settings, it’s time to save and apply the security policy. On the Save Security Policy page, click Next. 23. On the Security Policy Filename page, type a name for the policy and a description of the policy (this is optional). Click Next (see Figure 7.58). NOTE If you have enabled and allowed Remote Desktop connections to the Edge Transport server, we also recommend that you do Steps 17 and 18 for 3389 (Remote Desktop Protocol). This will block any connection attempts on port 3389 from external sources. Managing the Edge Transport Server • Chapter 7 451 24. You will now be informed that applying this security policy to the selected server will require a reboot after the policy is applied. This is required for the confi gured applications or services to run properly. Click OK, select Apply Now, and click Next (see Figure 7.59). 25. When the security policy has been applied, click Next and fi nally Finish to exit the SCW. 26. Reboot the server and verify that everything works as expected (mail fl ow, EdgeSync replication, Remote Desktop, and so on). Figure 7.59 Applying the Security Policy NOTE If you’re planning to deploy multiple Edge Transport servers in your perimeter network (DMZ or screened subnet), you can easily copy this Edge Transport server security policy XML fi le to the rest of the edge transport servers and apply it using the SCW. . script invokes the dsdbutil command, which can be used to change the LDAP port, Secure LDAP port, log path, and the path of the directory database. To change the LDAP and Secure LDAP ports used. list and click the Advanced button. 18. Click the Local Interface Restrictions tab and select Over the following interfaces. Check the network adapter connected to the internal network and click. Registry Settings section in the SCW, and since you can skip this section, check Skip this section and click Next. Do the same on the Audit Policy page and click Next. 22. Now that you’re through