[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 859
  • Last Modified:

Exchange 2007 Swing Migration Setup Help Needed

I am still in the process of a swing migration from Exchange 2003 to Exchange 2007 this weekend.  I have all of the user 120 mailboxes moved to the Exchange 2007 box.  My Outlook, Entourage clients are connecting successfully.  I have the one Exchange 2007 box and the Exchange 2003 swing box.  I have removed the connectors between the 2003 and 2007 boxes. Here are the items I still need help with:

1) When I opened up the firewall to allow incoming and outgoing SMTP traffic, I noticed the mail queues were being flooded with traffic from outside? our network.  This is strange because I only allow port 25 traffic in (via a Watchguard firewall rule) from Postini (our provider that cleans up the mail before it gets to us).  I need to make sure that our server is not an open relay.  How does the receive connector need to be set up to be safe?  There are currently 2 receive connectors listed.

2) I tried to import our Geotrust SSL certificate in the command shell.  It imported successfully, but could never attach it to IIS, because the command shell said the private key was missing.  I tried adding it the 'ole fashion way through IIS, but Exchange doesn't know about it and OWA will not work even when I change the internal and external URL settings to https://owa.biltmorebaptist.org/owa.  This type of URL (formerly https://owa.biltmorebaptist.org/exchange) used to work in (via DNS entry) and outside of our network.  This SSL issue is also affecting all of our Windows Mobile Smartphones and PDA Phones.

3) Can you use the IMF and anti-spam settings without a separate Edge server?

Any help you can provide would be much appreciated. I have been using 2003 for years and think I have got in over my head with 2007.  But I'm too far along to go back now.

Thanks!
0
wesleyjones
Asked:
wesleyjones
  • 4
  • 3
2 Solutions
 
SembeeCommented:
For single server setup I would suggest you look at this article on the msexchangeteam.com blog.
http://msexchangeteam.com/archive/2006/11/17/431555.aspx

Note carefully that after enabling the antispam agents you need to restart the transport store AND all options are enabled, so you will need to in and disable them. The antispam agents are also where recipient filtering is held.

The SSL certificate is really important with Exchange 2007. I don't know how you have tried to move the certificate across, but having a separate key doesn't sound right. Exchange has to accept the certificate, you can either do that with PowerShell or use PowerGui, which I find is more straight forward.

On the question of your SMTP traffic, are you sure that you were doing the restriction on the firewall and not on the SMTP virtual server on the old machine? Exchange 2007 is relay secure by default, so unless you have changed the configuration of the receive connectors you will not be an open relay.

Simon.
0
 
wesleyjonesAuthor Commented:
Thanks Sembee!  The blog article really helped.  Before I decommissioned the original server, I saved the .cer file offline.  When I brought up the Exchange 2007 box, I followed the "Finalize Deployment" instructions on the EMC.  The .cer file was imported, but I was unable to assign it to the IIS service.  My certificate expires in a couple of month, so I was thinking about getting an Entrust certificate anyway.  What is the PowerGUI?

Tha anti-spam settings helped with the the weird SMTP traffic I was receiving.  I am still seeing some messages from blank senders at IP 255.255.255.255 in the mail queues.
0
 
SembeeCommented:
PowerGui is another interface for PowerShell. http://www.powergui.org/ I use it on all of my Exchange 2007 deployments because it simplifies so much of what Microsoft have made more complex in Exchange 2007 with PowerShell. How did you import the certificate? Did you extract its thumbprint to use?

Have you tried just importing the certificate in to IIS manager on the web site? That should make the certificate available - you just need to import the thumbprint so that it is available to Exchange.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
wesleyjonesAuthor Commented:
I did try importing the certificate with IIS Manager (like the old way for Exchange 2003).  It takes it and it is valid, but then I cannot access OWA at all, from inside the lan or outside.  I did iisreset after the cert assignment.  Is there something else I need to do, restart exchange or the server?
0
 
SembeeCommented:
What do you mean by not access OWA? That could be an indication the certificate is damaged. Is the original still available?

Simon.
0
 
wesleyjonesAuthor Commented:
Unfortunately no, but I ordered a new UCC certificate from Entrust today.  

What I mean by not being able to access OWA above, Internet Explorer would return an error message like page not found.  Let's see if everything works out with the new Entrust cert.  I'll let you know.

Thanks again,

Wesley
0
 
wesleyjonesAuthor Commented:
The Entrust certificate is working properly.  Even Outlook Anywhere is working.  I set up the names as: owa.domain.com, autodiscover.domain.com, exchsvr.domain.com
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now