Long story short we have hosted our own Exchange 2013 server for years without any real issues (slight issue upgrading to v18 that is now fixed). We host Outlook Anywhere, Outlook Web Access, Outlook Mobile Access, and autodiscover. Everything works fine in and out of the office. We have started moving to Exchange Online / Office 365. I ran Microsoft's Hybrid Configuration Wizard, got no errors. Migrated three users from on prem to cloud with no errors other then having to resetup active sync on the phones. However we found out that the three users now migrated could no longer see Free/Busy data from users that are on prem. On prem to on prem users, on prem to cloud users, and cloud to cloud users are not affected. It's only cloud users to on prem.
Ran through all the troubleshooter steps (https://docs.microsoft.com/en-us/exchange/troubleshoot/calendaring/troubleshoot-freebusy-issues-in-exchange-hybrid#does-freebusy-work-on-premises) and everything seems ok. Ran through the Microsoft Remote Connection Analyzer for Free/Busy data (https://www.testconnectivity.microsoft.com/tests/FreeBusy/input) with a source users in the cloud and a destination user on prem and get the following:
Verifying connectivity to the specified endpoint. Unable to verify pass-through connectivity to the specified endpoint.Additional Details: Unable to verify pass-through connectivity to the specified endpoint: email.OurDomain.com/.../wssecurity. Verify your firewall allows pass-through authentication.
If I test the other way (on prem user against cloud user) the test passes successfully. I have a Microsoft case open but they are having issues finding anything wrong. Is it possible the XG is blocking pass through authentication? I am using a pretty standard setup for publishing everything, pretty much the Sophos guide (https://support.sophos.com/support/s/article/KB-000038003?language=en_US) except I have a extra rule separating out ActiveSync (comes in on a different IP). But otherwise I followed that guide. Pass through authentication has to be working, I would think, for Outlook Anywhere to be working.
The endpoint being polled for the Free/Busy data is /ews/exchange.asmx/wssecurity and there is already a exception for /ews/* in the default setup so I would think that should be fine. Here is the reason I'm wondering if it's a firewall issue. In the local Exchange IIS logs I get this when the Microsoft Remote Connectivity Analyzer is run:
2020-09-17 13:16:05 (MailServerIP) POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=ZIIYUZTKKEP9QTHTRRW&cafeReqId=dceb4a9c-eea8-48f6-bdd0-161cc91ebf5d; 443 - (XG_IP) Microsoft+Office/15.0+(Windows+NT+6.2;+Microsoft+Outlook+15.0.4615;+Pro;+MS+Connectivity+Analyzer) - 401 0 0 462020-09-17 13:16:05 (MailServerIP) POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=NUABNWUEAKXZEJPVQ&cafeReqId=602fc2f9-2ca6-421c-bdb8-b7d4e2526fd7; 443 - (XG_IP) Microsoft+Office/15.0+(Windows+NT+6.2;+Microsoft+Outlook+15.0.4615;+Pro;+MS+Connectivity+Analyzer) - 401 0 0 462020-09-17 13:16:05 (MailServerIP) POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=ZVAGMSSY0HYMJQKSH0Q&cafeReqId=7c5bc73c-c3f1-4ed5-aa16-1bde218a5587; 443 - (XG_IP) Microsoft+Office/15.0+(Windows+NT+6.2;+Microsoft+Outlook+15.0.4615;+Pro;+MS+Connectivity+Analyzer) - 401 0 0 462020-09-17 13:16:05 (MailServerIP) POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=RELPKBDCUSCPIDRYWA&cafeReqId=9515ec39-206a-4191-94fb-9d542e16227c; 443 (Domain)\(UserID) (XG_IP) Microsoft+Office/15.0+(Windows+NT+6.2;+Microsoft+Outlook+15.0.4615;+Pro;+MS+Connectivity+Analyzer) - 200 0 0 312020-09-17 13:16:05 (MailServerIP) POST /ews/exchange.asmx &CorrelationID=<empty>;&ClientId=QQFYTHJ9UUUYN0CRAXA&cafeReqId=cf30b4ae-1e3f-4b07-b339-6aabfc4a2ddc; 443 - (XG_IP) ExchangeServicesClient/15.01.0817.000 - 401 0 0 462020-09-17 13:16:05 (MailServerIP) HEAD /ews/exchange.asmx/wssecurity &CorrelationID=<empty>;&ClientId=D9BSHWKMQXNZMP0KAAG&cafeReqId=d7322266-8154-4aad-97c7-260b3f1ed221; 443 - (XG_IP) ExchangeServicesClient/15.0 - 401 0 0 46
That is it tying to pull the Free/Busy data and getting a 401 Unauthorized which leads me to believe that the XG really isn't doing pass-through authentication but I could be wrong.
Just looking for some opinions or things I can try changing for testing. Or seeing if anyone else has this working correctly.
This thread was automatically locked due to age.
