Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2007 Swing Migration Setup Help Needed

Posted on 2007-11-25
Medium Priority
Last Modified: 2013-11-30
I am still in the process of a swing migration from Exchange 2003 to Exchange 2007 this weekend.  I have all of the user 120 mailboxes moved to the Exchange 2007 box.  My Outlook, Entourage clients are connecting successfully.  I have the one Exchange 2007 box and the Exchange 2003 swing box.  I have removed the connectors between the 2003 and 2007 boxes. Here are the items I still need help with:

1) When I opened up the firewall to allow incoming and outgoing SMTP traffic, I noticed the mail queues were being flooded with traffic from outside? our network.  This is strange because I only allow port 25 traffic in (via a Watchguard firewall rule) from Postini (our provider that cleans up the mail before it gets to us).  I need to make sure that our server is not an open relay.  How does the receive connector need to be set up to be safe?  There are currently 2 receive connectors listed.

2) I tried to import our Geotrust SSL certificate in the command shell.  It imported successfully, but could never attach it to IIS, because the command shell said the private key was missing.  I tried adding it the 'ole fashion way through IIS, but Exchange doesn't know about it and OWA will not work even when I change the internal and external URL settings to https://owa.biltmorebaptist.org/owa.  This type of URL (formerly https://owa.biltmorebaptist.org/exchange) used to work in (via DNS entry) and outside of our network.  This SSL issue is also affecting all of our Windows Mobile Smartphones and PDA Phones.

3) Can you use the IMF and anti-spam settings without a separate Edge server?

Any help you can provide would be much appreciated. I have been using 2003 for years and think I have got in over my head with 2007.  But I'm too far along to go back now.

Question by:wesleyjones
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 20345803
For single server setup I would suggest you look at this article on the msexchangeteam.com blog.

Note carefully that after enabling the antispam agents you need to restart the transport store AND all options are enabled, so you will need to in and disable them. The antispam agents are also where recipient filtering is held.

The SSL certificate is really important with Exchange 2007. I don't know how you have tried to move the certificate across, but having a separate key doesn't sound right. Exchange has to accept the certificate, you can either do that with PowerShell or use PowerGui, which I find is more straight forward.

On the question of your SMTP traffic, are you sure that you were doing the restriction on the firewall and not on the SMTP virtual server on the old machine? Exchange 2007 is relay secure by default, so unless you have changed the configuration of the receive connectors you will not be an open relay.


Author Comment

ID: 20345978
Thanks Sembee!  The blog article really helped.  Before I decommissioned the original server, I saved the .cer file offline.  When I brought up the Exchange 2007 box, I followed the "Finalize Deployment" instructions on the EMC.  The .cer file was imported, but I was unable to assign it to the IIS service.  My certificate expires in a couple of month, so I was thinking about getting an Entrust certificate anyway.  What is the PowerGUI?

Tha anti-spam settings helped with the the weird SMTP traffic I was receiving.  I am still seeing some messages from blank senders at IP in the mail queues.
LVL 104

Assisted Solution

Sembee earned 2000 total points
ID: 20346065
PowerGui is another interface for PowerShell. http://www.powergui.org/ I use it on all of my Exchange 2007 deployments because it simplifies so much of what Microsoft have made more complex in Exchange 2007 with PowerShell. How did you import the certificate? Did you extract its thumbprint to use?

Have you tried just importing the certificate in to IIS manager on the web site? That should make the certificate available - you just need to import the thumbprint so that it is available to Exchange.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 20346194
I did try importing the certificate with IIS Manager (like the old way for Exchange 2003).  It takes it and it is valid, but then I cannot access OWA at all, from inside the lan or outside.  I did iisreset after the cert assignment.  Is there something else I need to do, restart exchange or the server?
LVL 104

Expert Comment

ID: 20347351
What do you mean by not access OWA? That could be an indication the certificate is damaged. Is the original still available?


Author Comment

ID: 20347476
Unfortunately no, but I ordered a new UCC certificate from Entrust today.  

What I mean by not being able to access OWA above, Internet Explorer would return an error message like page not found.  Let's see if everything works out with the new Entrust cert.  I'll let you know.

Thanks again,


Author Comment

ID: 20368903
The Entrust certificate is working properly.  Even Outlook Anywhere is working.  I set up the names as: owa.domain.com, autodiscover.domain.com, exchsvr.domain.com

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question