Exchange 2007 Swing Migration Setup Help Needed

Posted on 2007-11-25
Last Modified: 2013-11-30
I am still in the process of a swing migration from Exchange 2003 to Exchange 2007 this weekend.  I have all of the user 120 mailboxes moved to the Exchange 2007 box.  My Outlook, Entourage clients are connecting successfully.  I have the one Exchange 2007 box and the Exchange 2003 swing box.  I have removed the connectors between the 2003 and 2007 boxes. Here are the items I still need help with:

1) When I opened up the firewall to allow incoming and outgoing SMTP traffic, I noticed the mail queues were being flooded with traffic from outside? our network.  This is strange because I only allow port 25 traffic in (via a Watchguard firewall rule) from Postini (our provider that cleans up the mail before it gets to us).  I need to make sure that our server is not an open relay.  How does the receive connector need to be set up to be safe?  There are currently 2 receive connectors listed.

2) I tried to import our Geotrust SSL certificate in the command shell.  It imported successfully, but could never attach it to IIS, because the command shell said the private key was missing.  I tried adding it the 'ole fashion way through IIS, but Exchange doesn't know about it and OWA will not work even when I change the internal and external URL settings to  This type of URL (formerly used to work in (via DNS entry) and outside of our network.  This SSL issue is also affecting all of our Windows Mobile Smartphones and PDA Phones.

3) Can you use the IMF and anti-spam settings without a separate Edge server?

Any help you can provide would be much appreciated. I have been using 2003 for years and think I have got in over my head with 2007.  But I'm too far along to go back now.

Question by:wesleyjones
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 104

Accepted Solution

Sembee earned 500 total points
ID: 20345803
For single server setup I would suggest you look at this article on the blog.

Note carefully that after enabling the antispam agents you need to restart the transport store AND all options are enabled, so you will need to in and disable them. The antispam agents are also where recipient filtering is held.

The SSL certificate is really important with Exchange 2007. I don't know how you have tried to move the certificate across, but having a separate key doesn't sound right. Exchange has to accept the certificate, you can either do that with PowerShell or use PowerGui, which I find is more straight forward.

On the question of your SMTP traffic, are you sure that you were doing the restriction on the firewall and not on the SMTP virtual server on the old machine? Exchange 2007 is relay secure by default, so unless you have changed the configuration of the receive connectors you will not be an open relay.


Author Comment

ID: 20345978
Thanks Sembee!  The blog article really helped.  Before I decommissioned the original server, I saved the .cer file offline.  When I brought up the Exchange 2007 box, I followed the "Finalize Deployment" instructions on the EMC.  The .cer file was imported, but I was unable to assign it to the IIS service.  My certificate expires in a couple of month, so I was thinking about getting an Entrust certificate anyway.  What is the PowerGUI?

Tha anti-spam settings helped with the the weird SMTP traffic I was receiving.  I am still seeing some messages from blank senders at IP in the mail queues.
LVL 104

Assisted Solution

Sembee earned 500 total points
ID: 20346065
PowerGui is another interface for PowerShell. I use it on all of my Exchange 2007 deployments because it simplifies so much of what Microsoft have made more complex in Exchange 2007 with PowerShell. How did you import the certificate? Did you extract its thumbprint to use?

Have you tried just importing the certificate in to IIS manager on the web site? That should make the certificate available - you just need to import the thumbprint so that it is available to Exchange.

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 20346194
I did try importing the certificate with IIS Manager (like the old way for Exchange 2003).  It takes it and it is valid, but then I cannot access OWA at all, from inside the lan or outside.  I did iisreset after the cert assignment.  Is there something else I need to do, restart exchange or the server?
LVL 104

Expert Comment

ID: 20347351
What do you mean by not access OWA? That could be an indication the certificate is damaged. Is the original still available?


Author Comment

ID: 20347476
Unfortunately no, but I ordered a new UCC certificate from Entrust today.  

What I mean by not being able to access OWA above, Internet Explorer would return an error message like page not found.  Let's see if everything works out with the new Entrust cert.  I'll let you know.

Thanks again,


Author Comment

ID: 20368903
The Entrust certificate is working properly.  Even Outlook Anywhere is working.  I set up the names as:,,

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question