I've run into this a few times, and since setting this up isn't a common thing anymore, this is my reminder as to a common issue.
When the hybrid agent installs and fails to connect afterwards, it's often due to Extended Protection being enabled in IIS on the Exchange Server.
Quick overview of the fix:
- Download the ExchangeExtendedProtectionManagement.ps1 script from https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/
- Use the script to disable Extended Protection
.\ExchangeExtendedProtectionManagement.ps1 -DisableExtendedProtection - Install the hybrid agent via Hybrid Wizard
- Enable Extended Protection to support the hybrid agent
.\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames MHServer1, MHServer2 -ExcludeVirtualDirectories "EWSFrontEnd"
Might need to disable again if re-running the hybrid agent after updating certificate.
These instructions are being used for Exchange Server SE.
Reference links:
- https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019#disabling-extended-protection
- https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/
- https://learn.microsoft.com/en-us/answers/questions/1615304/hybrid-agent-setup-failing-on-validating-hybrid-ag
- https://techcommunity.microsoft.com/blog/exchange/modern-hcw-hybrid-agent-troubleshooting-like-a-pro/1558725
- https://techcommunity.microsoft.com/blog/exchange/troubleshooting-hybrid-migration-endpoints-in-classic-and-modern-hybrid/953006
