Exchange Server 2013 Server Roles

The multi-role server architecture that was introduced with Exchange Server 2007, and then continued with Exchange 2010, has been consolidated in Exchange Server 2013.

Exchange 2013 has three server roles that can be installed:

  • Client Access server
  • Mailbox server
  • Edge Transport server (from SP1 or later)
Server role selection during Exchange 2013 setup

The Mailbox and Client Access roles can co-exist on the same host, or be installed separately. It is generally recommended to install them on the same server (multi-role server installs) instead of separate server roles.

Exchange Server 2013 Client Access Server

As the name suggests, the Client Access server role is the server that clients (eg Outlook, Outlook Web App, ActiveSync) connect to for mailbox access. The Client Access server authenticates, and redirects or proxies those requests to the appropriate Mailbox server.

Client Access servers can be made highly available through the use of a load balancer.

There are two main components:

  • Client Access service – this handles the client connections to mailboxes
  • Front End Transport service – this performs various email traffic filtering functions, as well as email routing between the Exchange servers and the outside world

Exchange Server 2013 Mailbox Server

Mailbox servers host the databases that contain mailbox and public folder data. As with Exchange 2010 the Exchange 2013 Mailbox server role can be made highly available by configuring a Database Availability Group.

The Mailbox server also runs two Transport services:

  • Hub Transport service – similar to the Exchange 2007/2010 Hub Transport server role, this service provides email routing within the organization, and connectivity between the Front End transport service and the Mailbox Transport service
  • Mailbox Transport service – this service passes email messages between the Hub Transport service and the mailbox database

Exchange Server 2013 Edge Transport Server

Edge Transport servers are optional for organizations, and are designed to sit in a DMZ network to provide SMTP connectivity and mail flow in and out of the organization, whether to/from the internet or Office 365. The Edge Transport role can be used to satisfy the requirement that some organizations have to not permit any direct communications from the internet to internal networks.

Other Server Roles from Exchange 2007/2010

With the reduction in server roles to just two in Exchange Server 2013 you may be wondering what has happened to the remaining server roles that existed in Exchange Server 2007 and 2010:

  • Hub Transport server – this functionality has been divided between the Client Access server (Front End Transport service) and Mailbox server (Hub Transport and Mailbox Transport services) and is no longer a dedicated server role
  • Unified Messaging – this functionality has been divided between the Client Access and Mailbox server and is no longer a dedicated server role


  1. Doug says

    We’re using a 3 tiered security stack: Perimeter, mid-tier and backend. If the CAS/mailbox server are in the backend and there is no plan for an Edge Transport, what is going to proxy the OWA connections from the internet to the backend. Also, is Microsoft planning ANY edge device that supports IPv6?

    • says

      Exchange 2007/2010 Edge Transports work with Exchange 2013.

      I saw a comment from MS today that Edge won’t be in RTM, which doesn’t mean it won’t come later perhaps, but I probably wouldn’t count on it.

      I haven’t seen any yes/no info yet on whether the Exchange 2013 CAS can sit in a DMZ.

  2. Ashraf Tammam says


    If i have only 2 servers. is it possible to install CAS and Mailbox server roles on both of them and configure load balancing and DAG on these 2 servers??


    • says

      CAS and Mailbox roles can co-exist on the same server. If that server is also a DAG member and you want to do load balancing you’ll need to use a hardware load balancer, not Windows NLB.

      • says

        So, in theory, to run this configuration without the need or usage of a hardware load balanacer, youd need to run two Mailbox servers and place them in a DAG, with the Witness Server being the CAS server?



  3. PopatN says

    Hi Paul,

    You mention that the CAS and Mailbox Roles can Co-Exist on a single server. Is this regarded as Best Practise now? When would you separate the roles and configure them on their own independent servers?



    • says

      Best practice is multi-role servers. Only install separate roles if you have a specific requirement to.

      Examples may be if there is a performance requirement (probably not as common these days) or to reduce the number of CAS in environments with a lot of MBX (eg if you’ve got a 16 member DAG you may not need 16 CAS as multi-role servers when a smaller number of dedicated CAS would do the job).

  4. John says

    I have a single exchange 2010 and want upgrade it to 2013 directly. is it possible?
    Hub Transport also installed on it.

  5. Brett Stares says

    I am migrating towards two Exchange 2013 Servers, one in each site. I would like to install multi role in both sites to setup mail flow redundancy – however the DAG requires a CAS without the mailbox role to act as the witness. Will this require the purchase of an additional exchange license and 2012 server?

    FYI I would prefer to manually switch on the databases – can I do this without DAG?


  6. Lasandro Lopez says

    I want to setup Exchange 2013 with two separate server (one CAS, one Mailbox).
    to which IP i’ve to redirect the incoming 25 port, to CAS or to Mailbox???
    also…if i need to setup a DMZ…what server roles i’ve to put there?

      • Lasandro Lopez says

        Thank you Paul.
        What Edge Server is better to put on DMZ, 2010 or 2013?
        My other question…the clients that will be connect to OWA or with ActiveSync…will be connected to CAS server, that will be inside, right???
        so…which ports i’ve to open???
        So i will publish directly port 443 to be nat-ed to CAS server IP?
        I’m not clear how the CAS will not be in DMZ…when i’ve to publish its 443 port.

        • says

          Functionally I don’t know of any significant difference between Edge 2010 and Edge 2013 but I would use 2013 anyway.

          External clients using OWA or ActiveSync connect to the CAS on port TCP 443, that is correct.

  7. Naty says

    Hello…very useful topic. Thanks again. So my question is there any documents or guide to migrate roundcub mail system to Microsoft Exchange server 2013. Thank s

  8. Tyto says


    Just a small question i have a 3 server’s architecture, one with CAS, other with EDGE and another with MB all in different machines. I need to update from Exchange Server 2013 SP1 or CU4 to CU7, which machine should I do first? Is there any important order to be made or it is irrelevant!


  9. dragana79 says

    Hi Paul,
    I have 2 Exchange 2010 servers .1 CAS and 1 MBX (100 mailboxes).Now need to shift to 2013.I have two licence of Exchange 2013 and thinking to setup multi role deployment.What do you think, is this ok :
    Create DAG with 2 DB. 50% of mailboxes on 1 MBXCAS and 50% on 2MBXCAS and use DNS Round Robin for CAS.
    1MBXCAS is physical machine and 2MBXCAS is virtual.

    • says

      Technically that will work, it is a fairly common and basic HA set up. Whether it is the right fit for your business and technical environment is another matter entirely.

  10. Brian says

    You’ve mentioned Microsoft’s best practice is Multi Role Server. Any links or documentations supporting pros/cons of multi role server versus single. Company trying to determine best option.

    • says

      Any relevant TechEd, MEC, or Ignite session by Ross Smith IV in the last couple of years, or read his blog post series on the Exchange 2013 Preferred Architecture.

  11. Brian says

    Other than Jetstress, what other automated tool/3rd party tools would you recommend to size the environment. Plan to move from physical to virtual environment using vmware for Exchange 2013. Contemplating whether to Multi Role or Single Role .

    • says

      The sizing calculator that Microsoft publishes. If you’re virtualizing also read their virtualization best practices or seek out any of the TechEd, MEC, or Ignite sessions about the topic.

  12. Brian says

    We are setting up Exchange 2013 in its own forest, between 2 Data centers for DR and HA purposes. Need to determine architecture of mailbox copies. We want to maintain Active /Active between both datacenters. Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *