Honestly, I think you are overthinking this :)
I would use the recommended approach that I posted above in the future and you wont have issues like this:
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I have an Exchange 2016 CU19 environment, on premise only, in one domain, one site.
I wanted to deploy an additional exchange in the same site, for testing purpose, to not disturb the users, and test the kerberos auth in wthe production.
Before deploying, this server, we blocked port 80 and 443 and the firewall level, and I added a IPsec policy on the test server (EXCH-test), blocking ports TCP 443, 25 and 2525 from any incoming IP/port.
Around 5-10 min after installing the exchange setup, we changed the Exch-test SCP to a URL, pointing to the other Exchange servers (EXCH-serv).
That, apparently was enough to cause Outlook disconnection, for around 10% of all users, which is a lot. I removed the Exch-test, and yet, the problem last for another hour. Outlook was still trying to connect to Exch-test.
No problem of DC replication, no GPO regarding autodiscover behavior.
I understand that before changing the EXCH-test SCP, some Outlook clients tried to retrieve the autodiscover xml from EXCH-test. what I don't get is, from my understanding:
I think recycling the autodiscover app pool on all Exch servers would have solved the problem, but I don't get why Outlook clients tried to connect to Exch-test (and failed as it was blocked).
Thank you.
Chris
Honestly, I think you are overthinking this :)
I would use the recommended approach that I posted above in the future and you wont have issues like this:
Thank you @Andy David - MVP , this is a good document!
This was also a scenario I thought of first, but I was conviced by blocking my ports with IPsec would have isolated ly Exch-test server, which clearly did not....by why...is a mystery.
Do we agree at least on the fact that closing ports TCP 443 and TCP 80, in theory, was enough to avoid Outlook clients connections or autodiscover to Exch-test?
Thank you.
Chris
I found an interesting link:
https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/type-pox
"WEB
E-mail is accessed from a Web browser by using the URL that is specified in the Server (POX) element.
This is only applicable when the AccountType (POX) element is set to email."
I understand it's the URLs for Outlook on the Web, so it has no impact on Outlook clients.
Now what I think, Outlook clients got an autodiscover respond from Exch-serv, with this WEB protocol config like above...ok...but the EXPR, EXHTTP protocol are correctly configured.
Thus, why they tried to connect to Exch-test (checked on "connection status")...It really bothers me...
Thank you again for all your responses.
Chris
Now, maybe:
if so, how can I block that, knowing that ports 443, 25 and 2525 were blocked from Exch-serv to Exch-test.
-<Protocol>
<Type>WEB</Type>
-<Internal>
<OWAUrl AuthenticationMethod="AuthMethod">https://exch-test.domain.com/owa/</OWAUrl>
<OWAUrl AuthenticationMethod="AuthMethod">https://owa.domain.com/owa/</OWAUrl>
-<Protocol>
Hi ZhengqiLou-MSFT,
We changed the SCP for Exch-test to point to the Exch-serv, but we had 5-10min between the end of Exch-test installation and the DC replication.
We blocked port 443, first to avoid the Outlook popup to all users, which worked, and I assumed, Outlook after failing getting autodiscover response from Exch-test, would try the next SCP url.
I'm not sure if Outlook was able to get an autodiscover response from Exch-test, as in the xml response, under 'WEB' provider, internalOWA is Exch-test server fqdn, thus my questions: