How to Migrate Receive Connector’s from Exchange 2003 to Exchange 2007/2010 (Multiple IP Address Restrictions)

Setting up a new receive connector in Exchange 2007/2010 is pretty straightforward stuff and would hardly be worth writing a whole article about.

However, in a migration scenario where you need to migrate a specific receive connector from Exchange 2003 to multiple Exchange 2007/2010 servers and it has LOTS of IPs listed under Relay Restrictions the process can be a little more daunting.

Further, if you want to allow that list of IPs to relay to external domains without restriction, there is an additional step you must take under Exchange 2007/2010. Simply allowing those IPs to relay is insufficient.

Get the Massive List of IPs from Exchange 2003
The first thing you need to do is get the list of IPs under Relay Restrictions. If you have just a few IPs, this is no big deal and you’ll probably just write them down. If you’re in a situation like I was this past week though, you may have dozens and dozens or even hundreds of IPs, and writing them down is simply out of the question.

Fortunately, Microsoft makes it semi-easy with the SMTP Internet Protocol Restriction and Accept/Deny List Configuration (IPSec.vbs) script, which you can download here:

How to use the IPsec.vbs program to export an SMTP relay list from a computer that is running Exchange Server 2003

Once you download and extract the contents to your C: drive, just run the following to export a list of Relay Restrictions.

cscript IPsec.vbs –s ExchangeServer –o e –r relay –d DomainController > C:\exipsecurity\exportconnectionlist.txt

NOTE: You must TYPE this command in the command window from the c:\ExIPSecurity directory. DO NOT COPY AND PASTE… it won’t work if you do that. No, it makes no sense, it’s just one of the mysteries of the Microsoft ‘verse. Now that you have your list of IPs, it’s time to create your receive connector. Create a New Receive Connector on an Exchange 2007/2010 Server As I said before, creating a new receive connector in Exchange 2007/2010 is relatively straightforward, and you can find full details from Microsoft here: New-ReceiveConnector’ve taken the liberty of writing out the command below though to do what we want. This is the command we’ll run on the first Exchange Hub Transport server (technically you could run it against all of your hub transports, but I’ve also included another command to copy the Remote IP Ranges to another server).  Note that you must list out all of the IPs you wish to add to the RemoteIPRanges separated by a comma:

New-ReceiveConnector "ReceiveConnectorName" -Server Exchange2010Server -Bindings -AuthMechanism None -PermissionGroups AnonymousUsers –RemoteIPRanges IPAddress1,IPAddress2,IPAddress3

Once you have the connector created on your first Hub Transport server, you can run this command to create an identical connector on the next Exchange Hub Transport server. Again, you could use the previous command. For the sake of argument though let’s say you’re adding a Hub Transport at a much later date and don’t have the original command or list of IPs handy. This command will create a new connector, and copy the Remote IP Ranges:

New-ReceiveConnector "ReceiveConnectorName" -Server Exchange2010Server -Bindings -AuthMechanism None -PermissionGroups AnonymousUsers -RemoteIPRanges ( Get-ReceiveConnector "Exchange2010Server\ReceiveConnectorName" ).RemoteIPRanges

Now that you have your connectors on all of your Hub Transport servers, it’s time to allow them to relay to external recipients.

Assign Permissions to Receive Connector to Relay to External Recipients

In Exchange 2010, it’s not enough to allow a server to relay by listing its IP, you must further elevate permissions to give it this capability.

To do so, just use the following command on each of your Hub Transport servers with the relevant Receive Connector installed, replacing the bold parts with the appropriate names for your environment.

Get-ReceiveConnector "Exchange2010Server\RecieveConnectorName" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

At this point, you’ll be able to change DNS records or otherwise redirect the relaying servers/devices to your Exchange 2010 environment, and all will work just as well as it did with Exchange 2003.


No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s