Solved

Exchange 2013 behind TMG 2012 - The remote server has been paused

Posted on 2013-01-23
7
3,597 Views
Last Modified: 2013-01-29
I'm desperately trying to get my Exchange online after migration without success. Exchange 2013 resides in LAN behind TMG, and it is published in TMG. From the LAN I can access https://url/owa, but when I try to access it from WAN or from the TMG itself, I'm getting "500 Internal Server Error. The remote server has been paused or is in process of being started. (70)"

It is important to say that this exact setup have worked for months before the migration. My whole infrastructure is virtual, so Exchange and TMG are VMs also. I've just converted all the VMs from vSphere to Hyper-V, and connected them in the same way. So the setup on both servers is the same as it was before the migration. The only things that are changed are:
Virtual NICs - I've removed the old ones and added the new ones after the migration (conversion), but setup is the same (at least IPs, gateways, DNS)
Public IPs on TMG, but I've changed TMG accordingly.

Where to start to search for the solution?

Thanks!

Fat Dragon
0
Comment
Question by:fd4u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38813123
Check basics:
1. check the selected IP on TMG publishing rule. is it the correct one ?
2. right click on the publishing rule and test rule... any errors ?
3. In TMG NICs, the only DNS servers should be filed are the internal ones.... no external DNS ip should be used on TMG.
0
 

Author Comment

by:fd4u
ID: 38813151
Thanks Sulimanw

1 - Checked. It is correct one, and public DNSes (autodiscovery, mail/owa, MX) are set to this one.
2 - Testing publishing rules "Publishing for Outolook" (url/autodiscover, url/ews, url/oab, url/rpc) and "Publishing Exchange ActiveSync" (url/Microsoft-Server-ActiveSync) , are passed with all green. "Publishing Outlook Web Access" partly passes (url/ecp and url/owa are green, but url/Exchange and url/public are red with 404 not found). But it was the exact behavior as it was before the migration, when everything worked fine. I'm not sure but I think that Exchange 2013 doesn't have /excahnge...
3. - Checked and correct - DNSes are set just on internal (LAN) nic.

Thanks for trying to help!
0
 

Author Comment

by:fd4u
ID: 38813162
One more thing: I'm able to send / receive mails. For example when I open https://url/owa from the LAN I can send a mail to external world. And when I send a mail from external world - it is delivered, and I can see it in owa in LAN.

But I can't:
Open https://url/owa outside the LAN
Connect Outlook outside the LAN

Thanks
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Accepted Solution

by:
fd4u earned 0 total points
ID: 38815188
Sorry for delay. I've searched for the solution meanwhile.

I've read these posts already, but they aren't helpful in my case.

Meanwhile I've discovered very strange thing while analyzing traffic between TMG and Exchange - regular occurrences of denied "BranchCache-Advertise" 443 connection attempts (TMG to Exchange). In desperation I've created firewall rule which allows HTTPS traffic from "Local Host" (TMG) to Exchange, and after that I've succeeded to get https://url/owa from TMG! And now the most incredible thing: I've also got https://url/owa from outside!!! Unbelievable!!!

Just to check again, I've disabled newly created rule, and I've lost access again (from TMG and from external machine)!

To conclude: the solution is to allow HTTPS traffic from "Local Host" to published server, or to enable system policy rule 19 (Allow HTTP/HTTPS from TMG...), and allow "Local Host" to any network this way...

Thanks for trying to help.
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 38819148
Hi,

In my opinion this is not a solution.
All right it works, but that is not the correct solution.

It should have worked with a "classical" TMG publishing rule. So something in your configuration is wrong and make the normal configuration to fail.
What you have done is just masking the problem with a "patch" and your don't even know why it works now !

I don't have a real solution for you at this time but in my opinion your should still be searching for the real cause.

Have a good day.
0
 

Author Closing Comment

by:fd4u
ID: 38830316
It resolved the issue.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question