Understanding the Importance of MRS Proxy in Hybrid deployment Model – Office 365

Hello office 365 Admins,

Ahmad Yasin

In one of the projects we worked on, we had an exchange 2013 servers and we tried to set up the hybrid configuration wizard (HCW) in order to migrate mailboxes to office 365, as usual we installed AD Connect and synced users to Azure active directory.

All HCW prerequisites was met such as verifying the domain, Public Certificate … etc. we started the hybrid configuration wizard but unfortunately the wizard completed with a warning as below:

HCW8078: Migration Endpoint could not be created.
Microsoft.Exchange .Migration.MigrationServerConnectionFailedException
“The connection to the server mail.mydomain.edu.jo could not be completed.”
Microsoft.Exchange.MailboxReplicationService.RemoteTransientException:
The Call to ‘https://mail.mydomain.edu.jo/EWS/MRSProxy.svc’ failed. Error Details:
The Http Request was forbidden with client authentication schema ‘Negotiate’. –>
The remote server returned an error :(403) forbidden.

new error AA

First of all, let’s start our troubleshooting by access the URL mentioned in the error details which is in red color to see if we can access the URL using the browser, so if I try to access the URL it will ask me for credential, once I entered any domain user I receive the below response:

error AA
So from Above response we can notice that something wrong happened while trying to access the URL which cause the Hybrid configuration wizard to notify us by a warning.

before we fix the error let’s demonstrate why HCW trying to access this URL while configuring the Hybrid deployment !

MRS Proxy stands for mailbox replication service proxy which is used for cross forest mailbox move and remote move migration between on premise exchange and exchange online (Office 365), which means that this service is using while exchange requested to initiate the Migration process, In exchange 2013 this service is included in the mailbox servers and during the cross forest and remote migration the client access server act as a proxy for incoming move request for the mailbox server, the ability for client access server to accept the move request is disabled by default to reduce the attack surface, to allow it to accept the incoming move request you should enable the MRS proxy endpoint.

So even the wizard show a warning not failure, if you decide not to fix the warning the Migration request will be failed when you try to move a mailbox to office 365 ( Exchange online).

So to enable the MRS proxy in exchange 2013, login to the ECP page, go to servers -> Virtual directories and double click in EWS virtual directories as below:

4

Once you open the virtual directory, check the enable MRS proxy Endpoint option then click save:

5

If you have more than one client access server, be sure to enable the MRS proxy in all servers.

if you need to use exchange PowerShell to enable it execute the below command (replace the server name with your CAS server):

Set-WebServicesVirtualDirectory -Identity “MyCASSErver\EWS (Default Web Site)” -MRSProxyEnabled $true

For Exchange 2010, you can enable it using below command (replace the server name with your CAS server):

Set-WebServicesVirtualDirectory -Identity “MYCASSErver\EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50

Once you enable it, I prefer to reset the iis by execute below command using CMD:

iisreser /force

Once you finish the Migration it’s highly recommended to disable MRS to reduce the attack surface of your organization.

After that you can run the hybrid configuration wizard, In My case it was a strange story since when I checked the MRS Proxy it was enabled, so to solve my problem I disabled it and re-enabled it Again, once I did this I tried to access the URL again and I got something similar to below result:

6

Finally, I ran the hybrid configuration wizard and it was completed successfully and the Migration of mailboxes went smoothly.

About Blogger …

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn.

 

 

 

 

 

 

6 Comments

  1. Thanks Ahmed.

    I had the same Issue. My MRS proxy was enabled, but I couldn’t complete the hybrid guide without the same errors that you got. I disabled the MRS proxy and enabled it again, with iisreset/restart. Afterwards I was able to complete the guide without errors. Exchange 2013 CU13

    BR Mikkel H

  2. Hello Ahmed,

    Thanks for sharing your knowledge and i have been following few others blows but your blog is very very help, please publish few ADFS and Hybrid office 365 deployment migration methods.

Leave a Reply

Your email address will not be published. Required fields are marked *