This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 95%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
We have Exchange 2019 servers hosting mailboxes and want to move to Exchange Hybrid. There is currently no external access to our Exchange servers for OWA.
I have built an Exchange 2019 edge server for mail flow to and from EOP. I have configured the subscription although mail is not yet configured to flow through the edge server (only once Hybrid is configured hopefully).
I have run the HCW on one of the existing Exchange servers.
After clicking on Update to start the HCW Configure I receive a warning when it is trying to configure the MRS Proxy settings.
The full error is below:
2022.07.18 14:48:55.264 WARNING 10026 [Client=UX, Page=Configuring, fn=RunWorkflow, Thread=15]
HCW8078 Migration Endpoint could not be created.
Microsoft.Exchange.Migration.MigrationServerConnectionFailedException
The connection to the server 'mail.domain.com' could not be completed.
Microsoft.Exchange.MailboxReplicationService.MRSRemoteTransientException
The call to 'https://mail.domain.com/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out attempting to send after 00:00:07.9622867. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. --> The HTTP request to 'https://mail.domain.com/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:07.9620000. The time allotted to this operation may have been a portion of a longer timeout. --> The operation has timed out
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
The request channel timed out attempting to send after 00:00:07.9622867. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
The HTTP request to 'https://mail.domain.com/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:07.9620000. The time allotted to this operation may have been a portion of a longer timeout.
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
The operation has timed out
From the Exchange server I am running the HCW on I can manually navigate to https://mail.domain.com/EWS/mrsproxy.svc which resolves to the Internal IP and I am prompted for a username and password.
I created a specific user to use in the HCW for the on-premises account for migration, but also tried entering my admin credentials
I created a new third party certificate which is installed on each Exchange server (and applied to IIS, SMTP, POP and IMAP) and edge server and includes the SAN of mail.domain.com
The EWS Virtual directory on the Exchange servers is configured with:
Internal URL - https://mail.domain.com/EWS/Exchange.asmx
External URL - https://mail.domain.com/EWS/Exchange.asmx
Authentication - Integrated Windows Authentication
Any help would be appreciated.
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.
There is currently no external access to our Exchange servers for OWA.
How do you configure this for your Exchange server?
From the Exchange server I am running the HCW on I can manually navigate to https://mail.domain.com/EWS/mrsproxy.svc which resolves to the Internal IP and I am prompted for a username and password.
Could you provide more detailed information such as screenshots about this one?
Mark sure your Exchange server has published to Internet with those ports: Hybrid deployment protocols, ports, and endpoints
You also need to make sure those Exchange online port could access from your Exchange server: Exchange Online
Then try to disable and enable MRSProxyEnabled for EWS:
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSProxyEnabled $false
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSProxyEnabled $true
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @KyleXu-MSFT ,
Thank you.
I have been doing more testing and I think I know the problem, but not how to fix it.
I have attached the following text as a png file on my findings as I had too much text to enter into this comment.
Any further help would be appreciated.
For running HCW, you don't need to prepare a dedicated computer. You could run it on any domain-joined computer, then choose one of your Exchange server as hybrid server.
In my lab, I login interfacing server and choose current Exchange server as hybrid, there doesn't exist any issue with it.
So, I guess this issue may related to load balance, I would suggest you try to bypass it and point DNS record to one of your Exchange server, check whether this issue gone.
About the question(separate HCW server) you guessed, you could try to run HCW from DC server.
Hi @KyleXu-MSFT ,
Sorry for the very very late reply to this thread.
I had raised a call with Microsoft about the issue and they said they had not heard of the issue where running a command on one Exchange server where mail.domcin.com points to the same server causes a problem. NB I had also tested by amending host records on the Exchange server bypassing the load balancer and got the same issue. They said they would let me know if they find anything out but I haven't heard anything back.
I originally started looking at the individual command due to the warning message at the end of running the HCW: The connection to the server 'mail.domain.com' could not be completed.
Microsoft.Exchange.MailboxReplicationService.MRSRemoteTransientException.
It turns out that although we had configured our firewall to allow Exchange Endpoints and Other Office 365 IP addresses it wasn't working correctly and this turned out to be the main issue. Once this was sorted I ran the HCW again and this time there was no warning at the end. In fact at this point I then realised that the command that was being run was probably being run from Office 365 and connecting back to the Exchange on-premises so me running the individual command was actually sending me down the wrong rabbit hole.
As ever though thank you to everyone who responded and gave me ideas to try.
I Have been doing as bit more research into this and manually ran the command that the HCW is running for the MRS Proxy:
Test-MigrationServerAvailability -ExchangeRemoteMove:$true -RemoteServer "mail.domain.com" -Credentials $credentials
The result is as follows:
RunspaceId : be68af2e-72f5-458a-b7e1-5d7b44b21b99
Result : Failed
Message : The connection to the server 'mail.domain.com' could not be completed.
ConnectionSettings :
SupportsCutover : False
ErrorDetail : Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The connection to the
server 'mail.domain.com' could not be completed. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The Mailbox Replication
Service was unable to connect to the remote server using the credentials provided. Please check
the credentials and try again. The call to 'https://mail.domain.com/EWS/mrsproxy.svc'
failed. Error details: The HTTP request is unauthorized with client authentication scheme
'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The
remote server returned an error: (401) Unauthorized.. --> The HTTP request is unauthorized with
client authentication scheme 'Negotiate'. The authentication header received from the server was
'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The call to
'https://mail.domain.com/EWS/mrsproxy.svc' failed. Error details: The HTTP request is
unauthorized with client authentication scheme 'Negotiate'. The authentication header received
from the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401)
Unauthorized.. ---> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The
HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication
header received from the server was 'Negotiate,NTLM'. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The remote server returned
an error: (401) Unauthorized.
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Microsoft.Exchange.MailboxReplicationService.MailboxReplicationServiceFault.<>c__DisplayClas
s97_0.<ReconstructAndThrow>b__0()
at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(Action operation)
at Microsoft.Exchange.MailboxReplicationService.MailboxReplicationServiceFault.ReconstructAndTh
row(String serverName, VersionInformation serverVersion)
at Microsoft.Exchange.MailboxReplicationService.WcfClientWithFaultHandling2.<>c__DisplayClass7 _0.<CallService>b__0() at Microsoft.Exchange.Net.WcfClientBase1.CallService(Action serviceCall, String context)
at
Microsoft.Exchange.MailboxReplicationService.WcfClientWithFaultHandling`2.CallService(Action
serviceCall, String context)
at Microsoft.Exchange.Migration.MigrationExchangeProxyRpcClient.CanConnectToMrsProxy(Fqdn
serverName, Guid mbxGuid, NetworkCredential credentials, LocalizedException& error)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Migration.DataAccessLayer.ExchangeRemoteMoveEndpoint.VerifyConnectivity()
at Microsoft.Exchange.Management.Migration.MigrationService.Endpoint.TestMigrationServerAvailab
ility.InternalProcessEndpoint(Boolean fromAutoDiscover)
IsValid : True
Identity :
ObjectState : New
I have run the following command:
Get-WebServicesVirtualDirectory | fl authentication, url
CertificateAuthentication :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalNLBBypassUrl :
InternalUrl : https://mail.domain.com/ews/exchange.asmx
ExternalUrl : https://mail.domain.com/ews/exchange.asmx
In IIS, EWS authentication is set to Anonymous and Windows Authentication Enabled.
The providers for Windows Authentication are Negotiate at the top and NTLM underneath.
Is it something to do the the AuthenticationMethods I have configured?
Did you try to enable TLS 1.2? Then you can use the MS Hybrid wizard tool to connect endpoints and perform a test migration.
Check this detailed blog for help - https://www.alitajran.com/hcw8078-migration-endpoint-could-not-be-created/
Hi @Amit Singh ,
Thank you for your comment.
TLS 1.2 is enabled on all of our Exchange servers.