This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange Server 2016 failing to start after installation of Intercept X for Server

Hello,

a customer's Exchange 2016 Server (installed on Windows Server 2016) was previously running Sophos Endpoint Protection Standard.

Having set the Antivirus exclusions according to the list published by Microsoft, it was running fine.

After upgrading to Intercept X for Server, which automatically uninstalled the old product and added the necessary exclusions, a lot of Exchange Services fail to start after reboot.

I figured out the services cannot communicate with the locally installed Active Directory server (I know this is not best practice). The event viewer shows a lot of events like this:

Process w3wp.exe (FE_Eas) (PID=5520).
WCF request (Get Servers for xxx.local) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed.
Make sure that the service is running. In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall.
The WCF call was retried 3 time(s). Error Details 
 System.ServiceModel.EndpointNotFoundException ...

Anyway, the MSExchangeADTopology and NTDS services are running. It also seems like all the firewall exceptions for Exchange Server do still exist.

After disabling Windows Firewall, I am able to start the services and after that I can re-enable the firewall again.

To me, it looks like the Setup changed something in the Firewall configuration. More precise, I saw deletions and additions of firewall rules in the logs after executing the setup.

It would be really great to find a solution for this, as the server cannot just be restarted with having to fix this issue every time.

Best regards,

Jelko



This thread was automatically locked due to age.
Parents
  • Hi Jelko, 

    Thank you for reaching out to the Sophos Community Forum. 

    If you have made changes to the "Windows Firewall" policy in Sophos Central, some changes may be applied to the local Windows Firewall settings when Sophos is installed, otherwise I would not expect this to occur. By default, the policy should be configured to "Monitor Only". I recommend checking this to ensure it has not changed your settings unexpectedly. 

    A Message Relay or Update Cache could also affect the firewall rules that are applied, however, this should only add rules to allow communication over specific ports, not block communication. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Jelko, 

    Thank you for reaching out to the Sophos Community Forum. 

    If you have made changes to the "Windows Firewall" policy in Sophos Central, some changes may be applied to the local Windows Firewall settings when Sophos is installed, otherwise I would not expect this to occur. By default, the policy should be configured to "Monitor Only". I recommend checking this to ensure it has not changed your settings unexpectedly. 

    A Message Relay or Update Cache could also affect the firewall rules that are applied, however, this should only add rules to allow communication over specific ports, not block communication. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Hello Kushal,

    I think my earlier assumption was wrong. It was not Windows Firewall causing this issue (I even did not change the default policy).

    After some research, I figured out that especially the MSExchangeADTopology fails to start (and curiously does not attempt to start again) if the Domain Controller is unreachable (e.g. starting up after reboot).

    Setting the Exchange services to delayed start according to this and this article solved the problem for me.

    Seems like the problem was Intercept X is making the server or at least the startup a bit slower, causing the DC-services not to be started in time.

    Thank You for Your help!

    Regards,

    Jelko