asked on Watchguard firewall causing migrationwiz migration to office 365 from SBS 2011 standard to fail?z
I am doing my first sbs 2011 Standard to office 365 hosted exchange migration.
I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.
It reminded me - there's a watchguard firewall at the sbs 2011 location. I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.
Anyone know where that is? Could that be why they are failing the migration?
can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?
THANKS!
I am using migration wiz and 4 of 5 mailboxes failed. one talked of actively refiusing the connection.
It reminded me - there's a watchguard firewall at the sbs 2011 location. I remember once someone else having a problem with too much data going to /. from 1 place that the watchguard shut it off - there's a setting to limit amount of data to / from 1 external location that was on by default.
Anyone know where that is? Could that be why they are failing the migration?
can you tell me where to look to disable that if it's on. and maybe where to look to see if that feature was activatted in the last 48 hours?
THANKS!
Software FirewallsHardware FirewallsExchangeMicrosoft 365SBS
Last Comment
Saif Shaikh
ASKER
I'm running them again. But here's some. 1 user got 1000 errors of this, another got a lower number. but they passed the password veriification.
Active Directory is unavailable. Try again later
The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443
The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 75.127.196.xxx:443
This is one I hadn't seen before:
Inconsistent get item response (0 items returned but more are available)
it's an older 2011 standard SBS so is there maintenance I should be doing first?
The autodiscver test:
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for x@y.com
Autodiscover was tested successfully.
Active Directory is unavailable. Try again later
The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443
The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 75.127.196.xxx:443
This is one I hadn't seen before:
Inconsistent get item response (0 items returned but more are available)
it's an older 2011 standard SBS so is there maintenance I should be doing first?
The autodiscver test:
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for x@y.com
Autodiscover was tested successfully.
I see this:
The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443
So basically target machine i.e. SBS server has refused request on port 443.
Can you check what IP: 75.127.196.xxx is. Is this the IP of your firewall. If yes then make sure to open port 443 for IP: 75.127.196.xxx
The request failed. Unable to connect to the remote server ---> Unable to connect to the remote server ---> No connection could be made because the target machine actively refused it 75.127.196.xxx:443
So basically target machine i.e. SBS server has refused request on port 443.
Can you check what IP: 75.127.196.xxx is. Is this the IP of your firewall. If yes then make sure to open port 443 for IP: 75.127.196.xxx
Kindly follow Migration Wiz article for firewall requirement: "How do I set up router ports for OWA traffic when performing an On-Premises Exchange to On-Premises Exchange migration?"
https://help.bittitan.com/hc/en-us/articles/115008107167
https://help.bittitan.com/hc/en-us/articles/115008107167
Based on your details and issues to date, I tend not to think that it is the firewall. HOWEVER, if your port 80 and 443 rules are proxies, I could see where this could intermittently get in the way depending on the contents of the mailbox. Especially if you have Deep Packet Inspection turned on.
This could be a complex issue to resolve and even more so without me knowing what your config looks like. But a relatively simple (but less secure) way to deal with this would be to create an unfiltered packet filter outbound from the machine running the migration wizard. Because 365 has so many sub URLs, I would just add HTTP and HTTPS rules (not HTTP-Proxy and HTTPS-Proxy) from the IP of the migrationwiz server to Any-External. Because it is a packet filter and pretty specific in nature, it should come in higher than your default proxy rules and take precedence (assuming yout auto-order is on as it should be). I would also turn on logging for that rule so that you can prove that it is being used. Once you can launch the wizard and see that traffic traversing the new packet filter rules, run your migration test again. If it succeeds, you are good to go. If it does not succeed, you can be pretty sure that it is not the firewall causing the issue.
Good luck.
~Jon
This could be a complex issue to resolve and even more so without me knowing what your config looks like. But a relatively simple (but less secure) way to deal with this would be to create an unfiltered packet filter outbound from the machine running the migration wizard. Because 365 has so many sub URLs, I would just add HTTP and HTTPS rules (not HTTP-Proxy and HTTPS-Proxy) from the IP of the migrationwiz server to Any-External. Because it is a packet filter and pretty specific in nature, it should come in higher than your default proxy rules and take precedence (assuming yout auto-order is on as it should be). I would also turn on logging for that rule so that you can prove that it is being used. Once you can launch the wizard and see that traffic traversing the new packet filter rules, run your migration test again. If it succeeds, you are good to go. If it does not succeed, you can be pretty sure that it is not the firewall causing the issue.
Good luck.
~Jon
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thanks saif. I lowered the concurrent migrations to 1 and it's working.
Glad I could help...
You can test autodiscover using testexchangeconnectivity.c
Can you paste the error of the failed mailboxes in here for review.