Modern Hybrid agent & Azure app proxy

sanka perera 121 Reputation points
2023-05-29T10:26:30.7066667+00:00

Hi All,

i have successfully installed modern hybrid agent. However, i am getting below error.

Failed to download manifest file from CDN because of exception 'The underlying connection was closed, the potential fix could be to disable TLS1.0/1.1 and enable TLS1.2 from the Registry Key of HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL. Detailed exception details as follows : System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 13.1xx.2xx.3x:443
   at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Exchange.Data.ApplicationLogic.Extension.GetManifestXsdFiles.<InternalDownloadAndSaveFilesAsync>d__8.MoveNext()'.
========================================================================

TLS 1.2 keys are enabled and both TLS 1.0 & 1.2 are disabled. 

I would like to know do i have to do manual setup/configuration on Azure App proxy? or it part of the HCW?

https://learn.microsoft.com/en-us/exchange/hybrid-deployment/hybrid-agent
 above URL says Azure app proxy as a pre-req.

I did check the Azure App proxy but nothing is configured. Do i have to follow the below article?
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application

Hybrid agent doesn't requires any Exchange URLs to be published on internet.
Microsoft Exchange Online
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,345 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,884 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aholic Liang-MSFT 13,741 Reputation points Microsoft Vendor
    2023-05-30T07:14:32.7033333+00:00

    Hi @ sanka perera,

    Just wanted to confirm if you are installing the Hybrid Agent directly with reference to this document and not automatically via HCW?

    Based on the system requirements in this article, I recommend that you configure this Azure Application Proxy to see if the issue persists.

     

    In addition, for troubleshooting, I would like to confirm the following:

    1. How many exchange servers exist in the current environment? What version of Exchange?
    2. Whether any firewalls or gateways are configured  to block connections to ports or hostnames?You can refer to this document to troubleshoot: No connection could be made because the target machine actively refused it (net-informations.com) (Note:Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.)

     

    And according to the prompts in the error, it is recommended that you check the key values in the following locations in the registry again:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
dword:00000001

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. sanka perera 121 Reputation points
    2023-05-30T08:51:37.3733333+00:00

    Hi @Aholic Liang-MSFT

    Hybrid agent was installed as part of HCW. As per the Hybrid agent article, its built on Azure app proxy technology. Hence, it doesn't require to be manually setup on app proxy.

    Yes TLS 1.2 is enforced on both client and server keys.

    13.1xx.2xx.3x:443 IP belongs to Microsoft, which resolves to below. I did verify the proxy logs no URL blocks.

    Hybrid server is behind a proxy. Exchange 2016 2 servers per site with Edge servers. Hybrid has been configured on the newly built Exchange 2016 with MRS.

    I did verify the HCW logs and could see the connection URI and TargetsharingEPR values populated.

    As per the error, the target server refuses the connection. (which is MS below servers)

    firstpartyapps.azureedge.net.