Troubleshoot Exchange Hybrid Mail Flow via Office 365 Connector Validation Tool Results

Microsoft has made great strides to help the community troubleshoot mail flow issues Office 365 without having to open a support ticket. The connectors created in Office 365 after successfully running the hybrid configuration wizard (HCW) are clearly more identifiable then in the prior revisions. The ability to validate the “Hybrid Mail Flow Outbound Connector” has been a godsend (for me at least). In the past week, I have come across two issues when validating the connector.

The information provided in both cases are log details from the validation tests.


Issue #1

Task: Connect to ‘<OWA URL>’ from Office 365

Details: Connection Failed

Log: 450 4.4.101 Proxy session setup failed on Frontend with ‘441 4.4.1 Error encountered while communicating with primary target IP address: “Failed to connect. Winsock error code: 10061, Win32 error code: 10061.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was x.x.x.x’

 

Resolution #1

Update the firewall with the proper IP address list to allow EOP to communicate with your on premise Exchange environment using this list … Exchange Online Protection IP Addresses.

 


Issue #2

Task: SMTP TLS

Details: TLS authentication failed

Log: 450 4.4.101 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was x.x.x.x:1701’

 

Resolution #2

At first, I thought there was an issue with the receive connectors. Come to find out, it was the configuration on a Cisco ASA firewall that was stripping the TLS communication during the validation process. Once the customer updated their firewall (per the following article), validation testing worked without further issue … ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example (refer to “ESMTP TLS Configuration” section).

 


 

Related Articles:

Reference(s):

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s