Exchange 2013 CAS servers cannot accept connections on Exchange ports

Exchange 2013 Enterprise SP1 / Windows Server 2008 R2 SP1
I have configured site resilience setup with the following at two sites:
- two CAS servers
- six MB servers
Traffic to the CAS servers pass through HLB.
I just discovered that the "01" CAS server at each site is not accepting Exchange traffic.
If I telnet to one of the Exchange ports, it looks like there is a connection, however the moment any character is entered, the connection dies.
For example
- telnet Site01CAS01 25
- ( screen goes blank and DOES NOT display the expected "220 servername Microsoft ESMTP ...." message )
- when I attempt to enter "ehlo" the moment I enter "e" the session is disconnected.
I can successfully perform a telnet connection to the CAS02 server and run through the complete send a test message through telnet process. The session disconnect occurs on the CAS01 server at each site for ANY port controlled by Exchange: 25, 143, 587,
717, 993
I can successfully telnet to ports NOT controlled by Exchange: 80, 81, 8080, 443
There appears to be nothing essentially wrong with IIS
The firewall is DISABLED.
I discovered this issue yesterday.
I upgraded to Excahgne 2013 SP1 10 days ago.
I cannot say for sure if this condition existed before the SP! upgrade. I upgraded from CU1 to SP1
Any thoughts?
Thanks! Tom

Well, port 25 doesnt have anything to do with IIS regardless.
Since this is the CAS, port 25 is handled by the Microsoft Exchange Frontend Transport service .
A couple of things I would check.
Check the server component state. Get-ServerComponentState -Identity <server> to ensure everything is "active".
I assume all the services are running and you have rebooted the server to ensure things start up clean.
Also ensure the NIC on this server is set to register itself in DNS.
Finally, If you have disabled the firewall service on the server, its not supported. You should enable the firewall service and then disable it logically netsh advfirewall set Allprofiles state off
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Similar Messages

Autodiscover after deploying Exchange 2013 CAS in a Exchange 2007 organization

I am deploying Exchange 2013 CAS in a Exchange 2007 organization. Will all the clients be directed to the Exchange 2013 CAS servers for autodiscover. Will there be any issue with outlook clients connecting to their mailbox servers in Exchange 2007

All clients should be pointed to the Exchange 2013 CAS for the autodiscover service. This means:
A. For local clients
You need to modify the autodiscover Internal URI on the Exchange 2007 server and point it to Exchange 2013. For example, if you are using split-brain DNS on the Local Network and mail.yourdomain.com is resolved to Exchange 2013 local IP, the Exchange 2007
Autodiscover Internal URI should be "https://mail.yourdomain.com/Autodiscover/Autodiscover.xml"
Exactly the same way, you should modify the Exchange 2013 Autodiscover Internal URI and use the same address "https://mail.yourdomain.com/Autodiscover/Autodiscover.xml"
B. For remote clients - all clients will hit the Exchange 2013 CAS first (ex. mail.yourdomain.com)
If the user's mailbox is on Exchange 2007 server, the correct XML will be generated and provided, and the user will be proxied for Outlook Anywhere/ActiveSync and redirected for OWA/WebServices
If the user's mailbox is on Exchange 2013 server, the correct XML will be generated and provided
Bottom line - based on the location of the user's mailbox, Exchange 2013 will generate and provide the correct XML file (there is not proxying involved in providing the Autodiscover info).

Exchange 2013 CAS server connection to Exchange 2010 Mailbox server

Hi Guys,
I have a quick question i am planning to upgrade my infra from Exchange 2010 to Exchange 2013 and i have come across a small question, my infra looks likes below
3 Exchange server (CAS+ HT + MBX roles) Exchange 2010
1 Exchange server MBX role For journlaing Exchange 2010
1 CAS for internet owa access Exchange 2010
Now i will be installing exchange 2013 CAS on 2 box and MBX on 3 box
will decomm the 3 exchange box which has (CAS+ HT + MBX roles) and 1 CAS which we use for owa access.
will keep the Journaling server as it is will not be decomming it as of now.
My question is is will i be able to connect to the journaling mailbox's which are hosted on exchange 2010 journaling server without actually having any 2010 cas server, will exchange 2013 cas directly help me to connect to the journal mailbox or would i need
to add CAS role on Exchange 2010 journaling server and enable outlook anywhere configure the directories with the url's to make it working.
Please suggest on the same.
BR/Deepak

Hi TheLearner,
Thank you for your question.
Exchange 2013 didn’t connect to the journal mailbox directly when we access it by outlook/OWA. The journal mailbox will connect the former Exchange 2010 CAS. Or we could migrate Journaling mailbox to Exchange 2013. Because Exchange 2010 could communicate
with Exchange 2010 by RPC, but Exchange 2013 could communicate with Exchange 2013 by HTTPS.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support

Exchange 2013 CAS - Round Robin DNS not working properly

I have exchange 2013 server (2MB, 2CAS) server. I created two dns records for mail.test.com, autodiscover.test.com pointing to my two CAS servers.
But the problem is if i switched of one cas server, client outlook not connecting automatically to other CAS server. By restarting the outlook also its not working. By restarting the system or running the command ipconfig /flushdns in command prompt, it
working.
is there any configuration iam missing, please advice how to achieve decent load balancing in Exchange 2013 CAS without going for third party Loadbalancer...

I have exchange 2013 server (2MB, 2CAS) server. I created two dns records for mail.test.com, autodiscover.test.com pointing to my two CAS servers.
But the problem is if i switched of one cas server, client outlook not connecting automatically to other CAS server. By restarting the outlook also its not working. By restarting the system or running the command ipconfig /flushdns in command prompt, it
working.
is there any configuration iam missing, please advice how to achieve decent load balancing in Exchange 2013 CAS without going for third party Loadbalancer...
If a CAS role server is down or unable to service clients, you have to remove it from DNS round-robin consideration manually. There is no health check with DNS round-robin unlike a true load balancer.
Also, I would set the TTL to a low value for the CAS servers in the round-robin.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Exchange 2013 CAS incorrectly proxying after mailbox move to Exchange 2013

Hi,
I am moving Exchange 2010 mailboxes to Exchange 2013 SP1 in production. When I move 2010 mailbox Outlook, OWA works fine right after the move but ActiveSync (HTTPProxy log shows
on CAS 2013 server that it is still re-directing it to Exchange 2010 CAS servers). Exchange 2013 CAS server ActiveSync takes hours before it starts to see that mailbox is moved to Exchange 2013. I am certain it is not ActiveDirectory replication since all
other clients are working.
This time I move another user this time it did not work for 3.5hrs. I had to reboot Exchange 2013 CAS server after that it worked.
There is must be something that is not refreshing on Exchange 2013 CAS server.
Is there anything I can do right after the move to make it quick, I can not re-start server after every mailbox move. Currently we are in Pilot mode and only moving few
mailboxes at a time.
Thanks,
Raman

Hi,
I am moving Exchange 2010 mailboxes to Exchange 2013 SP1 in production. When I move 2010 mailbox Outlook, OWA works fine right after the move but ActiveSync (HTTPProxy log shows
on CAS 2013 server that it is still re-directing it to Exchange 2010 CAS servers). Exchange 2013 CAS server ActiveSync takes hours before it starts to see that mailbox is moved to Exchange 2013. I am certain it is not ActiveDirectory replication since all
other clients are working.
This time I move another user this time it did not work for 3.5hrs. I had to reboot Exchange 2013 CAS server after that it worked.
There is must be something that is not refreshing on Exchange 2013 CAS server.
Is there anything I can do right after the move to make it quick, I can not re-start server after every mailbox move. Currently we are in Pilot mode and only moving few
mailboxes at a time.
Thanks,
Raman
Does simply recycling the ActiveSync app pool speed things up?
Also, I would recommend installing CU6 instead of SP1.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

Hi,
we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
Any help would be appreciate….

Yes setting the EXPR value is most likely the cause of your issue. When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).
So the only option would you have is to change all the URLs to be on *.xyz.com domain. There's no need to change the domain the server actually resides on. The other option would be to purchase a UCC Cert with all the names you need and apply
to all your CAS servers and reset the EXPR value.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

Exchange 2013 - Prevent Outlook Clients From Connecting To A CAS Server In A Different AD Site

Hi all,
I could really do with your help!
We have 3 physical sites, A, B & C, with sites A & B having a really fast low latency links between them, so from an AD point of view they are 1 site. Site C has links to both sites A & B, but the link is a lot slower.
We have an exchange design with 3 servers (one located at each physical site) that will form a DAG spread over the 3 physical sites. Ideally we will separate the CAS and mailbox server roles out and have them controlled by a hardware load balancer,
however we can have both roles on the same server if required.
What we want, is to prevent is a situation where an outlook client in site C connects to a CAS server in site A/B with the mail being hosted on a mailbox server in site C therefore traversing the network twice to get its mail.
From doing the Microsoft training course, my understanding is that in Exchange 2013, the CAS server only proxy's the request on to the mailbox server and does not redirect the request to the CAS server in the site where the mailbox server resides.
I have seen information online stating that a single namespace is the way to go as long as your site links/network bandwidth is good, but nothing to help with our scenario.
Has anyone else come across this situation and how did you get round it?
Thanks in advance :)

Hi Johnson,
Based on my knowledge, Outlook Client will connect to the CAS server which in local first.
Please check whether the CAS server that in site C is healthy.
If the CAS server in site C is healthy, please disable the CAS Load Balance for testing.
Also found a useful blog for your reference:
Exchange 2013 Client Access Server Role
http://blogs.technet.com/b/exchange/archive/2013/01/25/exchange-2013-client-access-server-role.aspx
Thanks
Mavis
Mavis Huang
TechNet Community Support

Cannot receive mail on Exchange 2013 CAS: 451 4.7.0 Temporary server error. Please try again later. PRX4

Hi all,
I have just deployed Exchange 2013 on two CAS boxes and two MBX boxes as follows:
10.10.20.11
CAS01
10.10.20.12
CAS02
10.10.10.11
MBX01
10.10.10.12
MBX02
If I telnet to the internet facing IP on CAS01 and attempt to send an email internally (to a mailbox on MBX01) I get the following:
220 smtp.myrealdomain.com Microsoft ESMTP MAIL Service ready at Wed, 26 Mar 2014 01:14:24 +1000
EHLO test.com
250-smtp.myrealdomain.com Hello [10.10.20.11]
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
MAIL FROM:[email protected]
250 2.1.0 Sender OK
RCPT TO:[email protected]
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject:Test email 452
This is test email 452
451 4.7.0 Temporary server error. Please try again later. PRX4
Connectivity Log on CAS01:
2014-03-25T15:27:15.353Z,08D11605A575FAE1,SMTP,internalproxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=<no priority counts>
2014-03-25T15:27:15.353Z,08D11605A575FAE1,SMTP,internalproxy,>,"MBX02.myaddomain.com[10.10.10.12], MBX01.myaddomain.com[10.10.10.11]"
2014-03-25T15:27:15.353Z,08D11605A575FAE1,SMTP,internalproxy,>,Established connection to 10.10.10.12
2014-03-25T15:27:15.369Z,08D11605A575FAE1,SMTP,internalproxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2014-03-25T15:27:15.369Z,08D11605A575FAE2,SMTP,internalproxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=<no priority counts>
2014-03-25T15:27:15.369Z,08D11605A575FAE2,SMTP,internalproxy,>,Established connection to 10.10.10.11
2014-03-25T15:27:15.369Z,08D11605A575FAE2,SMTP,internalproxy,-,Messages: 0 Bytes: 0 (Retry : EHLO Options do not match for proxy)
2014-03-25T15:28:10.328Z,08D11605A575FAFA,SMTP,internalproxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=<no priority counts>
2014-03-25T15:28:21.669Z,08D11605A575FAFA,SMTP,internalproxy,>,"MBX01.myaddomain.com[10.10.10.11], MBX02.myaddomain.com[10.10.10.12]"
2014-03-25T15:28:21.669Z,08D11605A575FAFA,SMTP,internalproxy,>,Established connection to 10.10.10.11
2014-03-25T15:28:21.669Z,08D11605A575FAFA,SMTP,internalproxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2014-03-25T15:28:21.669Z,08D11605A575FAFF,SMTP,internalproxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=<no priority counts>
2014-03-25T15:28:21.669Z,08D11605A575FAFF,SMTP,internalproxy,>,Established connection to 10.10.10.12
2014-03-25T15:28:21.669Z,08D11605A575FAFF,SMTP,internalproxy,-,Messages: 0 Bytes: 0 (Retry : EHLO Options do not match for proxy)
SmtpSend Log on CAS01:
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,1,10.10.20.11:25495,10.10.10.12:25,+,,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,2,10.10.20.11:25495,10.10.10.12:25,<,220 ********************************************************************************************************************,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,3,10.10.20.11:25495,10.10.10.12:25,*,,Proxying inbound session with session id 08D11605A575FB5D
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,4,10.10.20.11:25495,10.10.10.12:25,>,EHLO CAS01.myaddomain.com,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,5,10.10.20.11:25495,10.10.10.12:25,<,250-MBX02.myaddomain.com Hello [10.10.20.11],
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,6,10.10.20.11:25495,10.10.10.12:25,<,250-SIZE,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,7,10.10.20.11:25495,10.10.10.12:25,<,250-PIPELINING,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,8,10.10.20.11:25495,10.10.10.12:25,<,250-DSN,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,9,10.10.20.11:25495,10.10.10.12:25,<,250-ENHANCEDSTATUSCODES,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,10,10.10.20.11:25495,10.10.10.12:25,<,250-XXXXXXXA,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,11,10.10.20.11:25495,10.10.10.12:25,<,250-XXXXXXXXXXXXXB,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,12,10.10.20.11:25495,10.10.10.12:25,<,250-AUTH NTLM,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,13,10.10.20.11:25495,10.10.10.12:25,<,250-XXXXXXXXXXXXXXXXXC,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,14,10.10.20.11:25495,10.10.10.12:25,<,250-8BITMIME,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,15,10.10.20.11:25495,10.10.10.12:25,<,250-BINARYMIME,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,16,10.10.20.11:25495,10.10.10.12:25,<,250-XXXXXXXD,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,17,10.10.20.11:25495,10.10.10.12:25,<,250-XXXXXXE,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,18,10.10.20.11:25495,10.10.10.12:25,<,250-XXXXF,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,19,10.10.20.11:25495,10.10.10.12:25,<,250 XXXXXXXXXXXXXG,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,20,10.10.20.11:25495,10.10.10.12:25,*,,"EHLO options between current server and proxy target do not match : Chunking, Xrdst. Critical non
matching options : Chunking, Xrdst. Failing over."
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,0,,10.10.10.11:25,*,,attempting to connect
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,21,10.10.20.11:25495,10.10.10.12:25,>,QUIT,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,1,10.10.20.11:25496,10.10.10.11:25,+,,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,22,10.10.20.11:25495,10.10.10.12:25,<,221 2.0.0 Service closing transmission channel,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB5E,23,10.10.20.11:25495,10.10.10.12:25,-,,Local
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,2,10.10.20.11:25496,10.10.10.11:25,<,220 ********************************************************************************************************************,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,3,10.10.20.11:25496,10.10.10.11:25,*,,Proxying inbound session with session id 08D11605A575FB5D
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,4,10.10.20.11:25496,10.10.10.11:25,>,EHLO CAS01.myaddomain.com,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,5,10.10.20.11:25496,10.10.10.11:25,<,250-MBX01.myaddomain.com Hello [10.10.20.11],
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,6,10.10.20.11:25496,10.10.10.11:25,<,250-SIZE,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,7,10.10.20.11:25496,10.10.10.11:25,<,250-PIPELINING,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,8,10.10.20.11:25496,10.10.10.11:25,<,250-DSN,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,9,10.10.20.11:25496,10.10.10.11:25,<,250-ENHANCEDSTATUSCODES,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,10,10.10.20.11:25496,10.10.10.11:25,<,250-XXXXXXXA,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,11,10.10.20.11:25496,10.10.10.11:25,<,250-XXXXXXXXXXXXXB,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,12,10.10.20.11:25496,10.10.10.11:25,<,250-AUTH NTLM,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,13,10.10.20.11:25496,10.10.10.11:25,<,250-XXXXXXXXXXXXXXXXXC,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,14,10.10.20.11:25496,10.10.10.11:25,<,250-8BITMIME,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,15,10.10.20.11:25496,10.10.10.11:25,<,250-BINARYMIME,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,16,10.10.20.11:25496,10.10.10.11:25,<,250-XXXXXXXD,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,17,10.10.20.11:25496,10.10.10.11:25,<,250-XXXXXXE,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,18,10.10.20.11:25496,10.10.10.11:25,<,250-XXXXF,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,19,10.10.20.11:25496,10.10.10.11:25,<,250 XXXXXXXXXXXXXG,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,20,10.10.20.11:25496,10.10.10.11:25,*,,"EHLO options between current server and proxy target do not match : Chunking, Xrdst. Critical non
matching options : Chunking, Xrdst. Failing over."
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,21,10.10.20.11:25496,10.10.10.11:25,>,QUIT,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,22,10.10.20.11:25496,10.10.10.11:25,<,221 2.0.0 Service closing transmission channel,
2014-03-25T15:32:34.158Z,Inbound Proxy Internal Send Connector,08D11605A575FB67,23,10.10.20.11:25496,10.10.10.11:25,-,,Local
Can anyone help? I'm at the end of my Googling!

The answer has been found. In our case, we had to disable the Mailguard feature of the Cisco ASA between the CAS subnet and the MBX subnet. Essentially it was stripping AUTH commands from the SMTP handshake which meant the servers could not authenticate
to each other and establish a secured connection.
I guess for future reference, if you're getting a PRX4 error code you should look at any device that could be inspecting SMTP between your CAS and MBX servers.
This Microsoft KB article has more information: http://support.microsoft.com/kb/320027

Exchange 2010 CAS array with Exchange 2013 Mailbox Servers

Here is our current scenario,
Exchange 2007
2 - Hub Transport Servers
2 - CAS servers (cluster NLB)
2 - Mailbox servers (clustered)
Exchange 2010
2 - Huib Transport Servers
3 - CAS servers (array NLB)
2 - Mailbox servers (1 DAG)
We have not migrated any users to the Exchange 2010 environment yet. We're thinking that at this point we would rather go from 2007 to 2013. Does the 2013 mailbox server work with a 2010 CAS array?

Hi,
As far as I know, CAS array doesn' t exist in Exchange 2013. And OWA and other requests can be proxyed and redirected from Exchange 2013 to Exchange 2010.
For more information, you can refer to the following article:
http://blogs.technet.com/b/exchange/archive/2013/01/25/exchange-2013-client-access-server-role.aspx
Thanks,
Angela Shi
TechNet Community Support

Exchange 2013 SP 1 + Lync 2013 CAS servers 100% CPU Load.

Hello. Can somebody explain about one issue?
We have Exchange 2013 CU6 + Lync 2013 (5.0.8308.556) integration. After install Exchange SP1 all Client Access Servers begun to consume all CPU time. In process
explorer there are w3wp.exe (MSExchangeServicesAppPool) and lsass.exe (netlogon context). In IIS logs a lot of events about
GET /EWS/Exchange.asmx/s/GetUserPhoto email=[email protected]&size=HR648x648&CorrelationID=<empty>;&cafeReqId=07966a0b-99a4-4f0a-8a38-a8a83264e46c; 443 - 10.10.10.10 OC/15.0.4659.1001+(Microsoft+Lync) - 401 1 2148074254 46
GET /EWS/Exchange.asmx/s/GetUserPhoto email=[email protected]&size=HR648x648&CorrelationID=<empty>;&cafeReqId=c7fb9499-1dc7-48d9-add6-64156a910de6; 443 Contoso\username 10.10.10.10 OC/15.0.4659.1001+(Microsoft+Lync) - 200 0 0 437
IIS logs are grow up very quickly, about 1GB per day. Before to installing SP1 was not problems. Thanks in advance.

Hi,
From your description, you said that you have Exchange 2013 CU6 + Lync 2013 (5.0.8308.556) integration, then you install Exchange 2013 SP1 on all CAS servers.
Do you mean your Exchange 2013 Mailbox server is CU6, and all CAS servers are SP1?
We had better have the same version on Exchange servers in our environment, if that is the case, please upgrate all to CU6, Exchange 2013 latest version, to check result.
Best regards,
Belinda Ma
TechNet Community Support

Unable to send to external email recipients - Multi Tenant Exchange 2013 - MultiRole servers in DAG

Greetings all, I hope someone can help.
I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
Internal mail flow is fine (external email addresses can send to the domain).
External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
There are two multi-role Exchange servers that are members of the DAG.
I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
No SSL certificates have been purchased or installed yet.
Exchange URLs have not been changed since default configuration at install.
OWA and ECP works both internal and external.
External DNS works with SPF and PTR records correctly configured
Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
Send Connectors are the default ones created during install. Receive connector is standard configuration with - * -
When sending email to an external address, I receive a failure notice
ServerName.test.corp.int gave this error:
Unable to relay
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
More Info -
ServerName.test.corp.int
Remote Server returned '550 5.7.1 Unable to relay'
I have been troubleshooting this for many hours with no progress.
I have created new Send Connectors for the server that is advising that it is unable to relay, but they have all failed.
I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
I am at a loss as to why I can't send out with the default configuration. I would assume that email would flow out without any changes, but this does not happen.
Can someone please assist before I lose my sanity.
Thanks in advance,
Terry

Greetings all, I hope someone can help.
I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
Internal mail flow is fine.
Incoming mail from external senders is also fine. -
external email addresses can send to the domain).
External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
There are two multi-role Exchange servers that are members of the DAG.
I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
No SSL certificates have been purchased or installed yet.
Exchange URLs have not been changed since default configuration at install.
OWA and ECP works both internal and external.
External DNS works with SPF and PTR records correctly configured
Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
Receive Connectors are the default ones created during install. Send connector is standard configuration with - * -
When sending email to an external address, I receive a failure notice
ServerName.test.corp.int gave this error:
Unable to relay
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
More Info -
ServerName.test.corp.int
Remote Server returned '550 5.7.1 Unable to relay'
I have been troubleshooting this for several days with no progress.
I have created new Receive Connectors for the server that is advising that it is unable to relay, but they have all failed.
I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
Even more info - Further troubleshooting -
I found my one of my Exchange servers had an extra NIC. I have since added a second NIC to the other server, so now both Exchange servers have dual NICs. I removed the DAG cleanly and recreated the DAG from scratch, using this link -
hxxp://careexchange.in/how-to-create-a-database-availability-group-in-exchange-2013/
The issue still exists, even with a newly created DAG. I also found that the Tenant Address Books were not 'applied'. I applied them but still no resolution
I think the issue is related to multi-tenant configuration even though the error says that it can't relay. The unable to relay message can appear when sending from a domain that the Organization does not support. Like trying to email as [email protected]
when you domain name is apple.com - But through extensive research I still can't resolve the issue.
Can someone please assist before I lose my sanity.
Thanks in advance,
Terry

Some Outlook clients getting internal FQDN of newly installed Exchange 2013 CAS server as Outlook Anywhere Proxy address

Hello Folks,
I have this problem and is making me crazy if anyone have any idea please shed some light on this:-
1. Working Outlook 2010 and 2013 clients with webmail.xyz.com as Outlook Anywhere proxy address.
2. Installed new Exchange 2013 server (server02)with CAS and Mailbox role, Exchange install wizard finished and server is rebooted.
3. Server came up online started changing internal and external FQDN's of Virtual Directories and Outlook Anywhere to webmail.xyz.com
4. As soon as Fqdn's changed some outlook clients create support request that Outlook suddenly white's out and after reopening it is giving error cannot connect to exchange. upon checking Clients Exchange Proxy address is set to http://server02.xyz.com,
even though OA/OWA/ECP/OAB/EWS/Autodiscover/ActiveSync FQDN's Point to webmail.xyz.com, on all servers if i create new outlook profile for same user it picks up correct settings through autodiscover and connects fine, this is happening to about 20% of outlook
clients every time i am introducing new Exchange 2013 server in Organization. we have around 2000 users and planning on installing 4 exchange servers to distribute load and everytime changing outlook profile of close to 150-200 users is not possible.
Any help is greatly appreciated.
Thanks
Cool

Here are the EXCRA results
Here IP (x.x.x.x) returned is my Load Balancer IP (Webmail.xyz.com).
Connectivity Test Successful with Warnings
Test Details
    Testing Outlook connectivity.
    The Outlook connectivity test completed successfully.
       Additional Details
    Elapsed Time: 9881 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
    Autodiscover was tested successfully.
       Additional Details
    Elapsed Time: 2063 ms.
       Test Steps
       Attempting each method of contacting the Autodiscover service.
    The Autodiscover service was tested successfully.
       Additional Details
    Elapsed Time: 2063 ms.
       Test Steps
       Attempting to test potential Autodiscover URL https://xyz.com:443/Autodiscover/Autodiscover.xml
    Testing of this potential Autodiscover URL failed.
       Additional Details
    Elapsed Time: 186 ms.
       Test Steps
       Attempting to resolve the host name xyz.com in DNS.
    The host name couldn't be resolved.
       Tell me more about this issue and how to resolve it
       Additional Details
    Host xyz.com couldn't be resolved in DNS InfoNoRecords.
Elapsed Time: 186 ms.
    Attempting to test potential Autodiscover URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml
    Testing of the Autodiscover URL was successful.
       Additional Details
    Elapsed Time: 1876 ms.
       Test Steps
       Attempting to resolve the host name autodiscover.xyz.com in DNS.
    The host name resolved successfully.
       Additional Details
    IP addresses returned: x.x.x.x
Elapsed Time: 338 ms.
    Testing TCP port 443 on host autodiscover.xyz.com to ensure it's listening and open.
    The port was opened successfully.
       Additional Details
    Elapsed Time: 173 ms.
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.
       Additional Details
    Elapsed Time: 318 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.com on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       Additional Details
    Remote Certificate Subject: CN=webmail.xyz.com, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US.
Elapsed Time: 219 ms.
    Validating the certificate name.
    The certificate name was validated successfully.
       Additional Details
    Host name autodiscover.xyz.com was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,.
    One or more certificate chains were constructed successfully.
       Additional Details
    A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 36 ms.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
       Additional Details
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.
       Additional Details
    The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn't detected.
       Additional Details
    Accept/Require Client Certificates isn't configured.
Elapsed Time: 289 ms.
    Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
    The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
       Additional Details
    Elapsed Time: 756 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml for user [email protected].
    The Autodiscover XML response was successfully retrieved.
       Additional Details
    Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Test Exch1</DisplayName>
<LegacyDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1</LegacyDN>
<DeploymentId>4ec753c9-60d9-4c05-9451-5b24e2d527a7</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>[email protected]</Server>
<ServerDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]</ServerDN>
<ServerVersion>73C0834F</ServerVersion>
<MdbDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>webmail.xyz.com</PublicFolderServer>
<AD>DC-03.domain.xyz.com</AD>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<EwsPartnerUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>Default-First-Site-Name</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
</Account>
</Response>
</Autodiscover>HTTP Response Headers:
request-id: 9d325a80-f1fd-4496-ac48-2be6bb782c28
X-CalculatedBETarget: Server01.domain.xyz.com
X-DiagInfo: Server01
X-BEServer: Server01
Persistent-Auth: true
X-FEServer: Server01
Content-Length: 11756
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Mon, 25 Aug 2014 19:12:25 GMT
Set-Cookie: X-BackEndCookie=S-1-5-21-1293235207-2459173341-1304346827-14544=u56Lnp2ejJqBypqcnsfJx5nSy8ucnNLLnJzP0sfKz8/Sy5nHmsiamZrMyZrLgYHPxtDNy9DNz87L387Gxc7Nxc3J; expires=Thu, 25-Sep-2014 00:12:26 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 756 ms.
    Autodiscover settings for Outlook connectivity are being validated.
    The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.
       Additional Details
    Elapsed Time: 0 ms.
    Testing RPC over HTTP connectivity to server webmail.xyz.com
    RPC over HTTP connectivity was verified successfully.
       Additional Details
    HTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 7817 ms.
       Test Steps
       Attempting to resolve the host name webmail.xyz.com in DNS.
    The host name resolved successfully.
       Additional Details
    IP addresses returned: x.x.x.x
Elapsed Time: 107 ms.
    Testing TCP port 443 on host webmail.xyz.com to ensure it's listening and open.
    The port was opened successfully.
       Additional Details
    Elapsed Time: 180 ms.
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.
       Additional Details
    Elapsed Time: 303 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server webmail.xyz.com on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       Additional Details
    Remote Certificate Subject: CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 224 ms.
    Validating the certificate name.
    The certificate name was validated successfully.
       Additional Details
    Host name webmail.xyz.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,
    One or more certificate chains were constructed successfully.
       Additional Details
    A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 34 ms.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
       Additional Details
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.
       Additional Details
    The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn't detected.
       Additional Details
    Accept/Require Client Certificates isn't configured.
Elapsed Time: 298 ms.
    Testing HTTP Authentication Methods for URL https://webmail.xyz.com/rpc/[email protected]:6002.
    The HTTP authentication methods are correct.
       Additional Details
    The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLMHTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 296 ms.
    Attempting to ping RPC proxy webmail.xyz.com.
    RPC Proxy was pinged successfully.
       Additional Details
    Elapsed Time: 454 ms.
    Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 0 ms.
Elapsed Time: 1007 ms.
    Testing the MAPI Address Book endpoint on the Exchange server.
    The address book endpoint was tested successfully.
       Additional Details
    Elapsed Time: 2177 ms.
       Test Steps
       Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 906 ms.
Elapsed Time: 918 ms.
    Testing the address book "Check Name" operation for user [email protected] against server [email protected].
    The test passed with some warnings encountered. Please expand the additional details.
       Tell me more about this issue and how to resolve it
       Additional Details
    The address book Bind operation returned ecNotSupported. This typically indicates that your server requires encryption. The Microsoft Connectivity Analyzer will attempt the Address Book test again with encryption.
NSPI Status: 2147746050
Elapsed Time: 825 ms.
    Testing the address book "Check Name" operation for user [email protected] against server [email protected].
    Check Name succeeded.
       Additional Details
    DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 433 ms.
    Testing the MAPI Referral service on the Exchange Server.
    The Referral service was tested successfully.
       Additional Details
    Elapsed Time: 1808 ms.
       Test Steps
       Attempting to ping the MAPI Referral Service endpoint with identity: [email protected]:6002.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 953 ms.
Elapsed Time: 949 ms.
    Attempting to perform referral for user /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1 on server [email protected].
    We got the address book server successfully.
       Additional Details
    The server returned by the Referral service: [email protected]
Elapsed Time: 858 ms.
    Testing the MAPI Address Book endpoint on the Exchange server.
    The address book endpoint was tested successfully.
       Additional Details
    Elapsed Time: 626 ms.
       Test Steps
       Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 156 ms.
Elapsed Time: 154 ms.
    Testing the address book "Check Name" operation for user [email protected] against server [email protected].
    Check Name succeeded.
       Additional Details
    DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 472 ms.
    Testing the MAPI Mail Store endpoint on the Exchange server.
    We successfully tested the Mail Store endpoint.
       Additional Details
    Elapsed Time: 555 ms.
       Test Steps
       Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 234 ms.
Elapsed Time: 228 ms.
    Attempting to log on to the Mailbox.
    We were able to log on to the Mailbox.
       Additional Details
    Elapsed Time: 326 ms.

Exchange 2013 CAS-MBX recipient validation rejects entire message if any of recipients are invalid

Hi,
How can I enable recipient validation work in this design:
2 Exchange 2013 servers with CAS and MAILBOX roles both, DAG and Hardware Load balancer for HTTP and SMTP traffic.
From Exchange documentation:
http://technet.microsoft.com/en-us/library/bb125187%28v=exchg.150%29.aspx
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected.
If you install the anti-spam agents on a Mailbox server, the Recipient Filter agent is enabled by default. However, it isn't configured to block any recipients. For more information, see
Enable Anti-Spam Functionality on Mailbox Servers.
If You have a setup like this:
Install antispam agents:
Identity Enabled Priority
Transport Rule Agent True 1
Malware Agent True 2
Text Messaging Routing Agent True 3
Text Messaging Delivery Agent True 4
Content Filter Agent True 5
Sender Id Agent True 6
Sender Filter Agent True 7
Recipient Filter Agent True 8
Protocol Analysis Agent True 9
Have Recipient validation enabled:
Name Enabled RecipientValidationEnabled---- ------- --------------------------RecipientFilterConfig True True
Have AcceptedDomain AddressBook enabled:
DomainName DomainType AddressBookEnabled
contoso.com Authoritative True
Then You have a situation, where a single invalid recipient on an incoming email message would reject the entire message! I guess this is because the recipient filtering happens on the mailbox server.
So .. HOW? Is it possible without Edge servers? Have I missed something?
I hope this feature isn't "missing by design", because it will be very difficult to explain to the client, that such an expensive product cannot do what any mail server can - reject unknown recipients before taking E-Mail data. There are a lot
of issues with this feature missing (possible DDOS with max attachments, or spoofed sender e-mail address that is a spamtrap, so NDR from Exchange would get You to SBL, etc.).
Sincerely,
Vince

Hello Vince,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support

Exchange 2013 - CAS Server Multi Namespace & Site Deployment

Hello,
I am
currently designing the new Excahnge 2013 environment that I am looking to deploy by the end of the month. And I have come up with two designs on what could be deployed. The first being an active/passive design with a single namespace across two sites.
One site being the primary site and the other being the secondary DR site in a single DAG. Now this is a common design and similar setups are documented in detail online on many blogs and such.
Where my trouble is with the second design I have come up with which is an active/active model using a multi namespace across the same two sites utilizing two DAGs. The idea here being the first
site is the corporate head office which would only contain those users. While the second site would contain everyone else not based out of the head office. The goal being to cut out internal users from connecting all of the way into the primary site when they
are external to it.
Now the way in which the network is setup between the two sites. Accessing the internet from the primary site requires you to go through the secondary. So for the second design my idea would
be for external Outlook, OWA and ActiveSync connections would connect into the secondary site for it to then proxy over to the primary. Now I am used to how Excahnge 2010 did its proxying and if the ExternalUrl property was blank is knew to proxy to the other
site. Is that still the case with Excahnge 2013 or it does not care at all and I can just populate both the internal/external url properties for all of the CAS servers at the primary site?
Now assuming I do populate both the internal/external url property in Excahnge 2013 for the primary site. And for this example I am going to use mail01.domainname.com for the primary site and
mail02.domainname.com for the second. To get Outlook, OWA and ActiveSync to connect for users of the primary site externally would it be as simple as having that external internet DNS entry for mail01.domainname.com point to the same IP as mail02.domainname.com
would be? With mail02.domainname.com pointing to a externally accessible load balancer for the second site.
Now applying the above logic and assuming as long as you hit a CAS server. And it will find your mailbox for you does that mean I can could also use the same namespace in both locations for
say OWA and ActiveSync? So the idea being we want to keep using webmail.domainname.com for OWA access. So if I set that URL for both the primary and secondary site as long as I hit a CAS server in the secondary site. It will be able to connect over to the
mailbox in the primary site for OWA?
Nicholas

Hello Angela,
I need some clarification to your reply as it has left me a little more confused. Where you start by saying “all client requests will firstly access the internet-facing server”.
Are you talking about when the client is connecting in externally or when the client is internal? As this would make it seem like in my second design where only the secondary site would have internet facing CAS. That clients in the primary site internally
would connect over to the secondary site then be proxyed back to the primary.
Then for the separate namespace portion of your reply. I am assuming you mean the secondary site form my example which will have the internet-facing CAS server? If that is
the case my public DNS entry would be mail02.domain.com only but then how would the client from the primary site who use mail01.domain.com which is not on an internet facing CAS server. Then figure out they can connect in on mail02.domain.com externally from
the internet?
And when you talk about both sites using the same namespace. And using two public DNS entries pointing to the CAS servers in both datacenters. Is that not just going to do
DNS round robin? As described in this technet blog?
http://blogs.technet.com/b/exchange/archive/2014/02/28/namespace-planning-in-exchange-2013.aspx
Or is it because both datacenters will be hosting active mailboxes. Will the clients query each CAS server till it finds one in its site? I do also plan to deploy a load balancer with my CAS servers. So I would think that would cancel our using the two public
DNS option.
Nicholas

New Exchange 2013 CAS server in existing Exchange 2007 Organization

Dear Friends,
We have exchange 2007 SP3 with CU13 installed with single copy cluster for database and 1 OWA server for CAS/HT. We will migrate from current to Exchange 2013SP1. As we want to have HA, we have installed 2 new Exchange 2013 SP1 CAS server on widnows 2012
R2 after preparing our organisation for Exchange 2013. The setup went smooth without any error and successfully installed CAS with management tools. After installation it ask to reboot the server which we did. Now after reboot, we are not able to run Exchange
Management Sell. It never connects to the new server. In our old 2007 EMS also doesn't list any exchange 2013 server. We are also not able to connect to new CAS servers with below URL:
https://servername/ecp/?ExchClientVer=15
Its says site under maintenance. Please advise what to check. We were thinking of deploying CAS 1st and make it co-exist with Exchange 2007 before deploying Exchange 2013 mailbox server which will be setup in DAG. What are we doing wrong.
Thanks in advance!!

Dear Friends,
We have exchange 2007 SP3 with CU13 installed with single copy cluster for database and 1 OWA server for CAS/HT. We will migrate from current to Exchange 2013SP1. As we want to have HA, we have installed 2 new Exchange 2013 SP1 CAS server on widnows 2012
R2 after preparing our organisation for Exchange 2013. The setup went smooth without any error and successfully installed CAS with management tools. After installation it ask to reboot the server which we did. Now after reboot, we are not able to run Exchange
Management Sell. It never connects to the new server. In our old 2007 EMS also doesn't list any exchange 2013 server. We are also not able to connect to new CAS servers with below URL:
https://servername/ecp/?ExchClientVer=15
Its says site under maintenance. Please advise what to check. We were thinking of deploying CAS 1st and make it co-exist with Exchange 2007 before deploying Exchange 2013 mailbox server which will be setup in DAG. What are we doing wrong.
Thanks in advance!!
If you have only the 2013 CAS installed and not the mailbox role, then nothing will really work. Remember, in 2013, the mailbox role does all the work, the CAS is simply a proxy for the most part.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Exchange 2013 CAS servers cannot accept connections on Exchange ports

Similar Messages

Maybe you are looking for