Forum Discussion
Exchange health set unhealthy
Hello everyone!
Some healthprobes on our Exchange 2016 Server have been reporting an unhealty state since the middle of February. OAB.Proxy, EWS.Proxy, Outlook.proxy and OutlookMapiHttp.Proxy.
We have no mailboxes on the server, so its not critical, but I would still like to figure out what is going on.
They all fail with "The remote server returned an error: (401) Unauthorized" and if I try to invoke the probe i see this in the response:
It looks like the SSL validation is not happening.
Is it normal for the probe to use localhost for this?
When I run "Get-WebServicesVirtualDirectory" both internal and external virtual directry is set to our external url.
Any insight is greatly appreciated!
Hi Gly,
Yes, the localhost reference is fine.
I'm may be digging too many years into the past, but I have a hunch you hit this timeout issue when the CRL URL can't be reached.
Here's a quick-but-lengthy PowerShell one-liner you can run on your Exchange Server host to check if the CRL is accessible from the host itself. Note, I'm on Exchange Server 2019 but I would anticipate this should still work on Exchange Server 2016 given how basic the command is.
Out of sympathy for anyone reading this post, I've also included a formatted version of the same one-liner.
# One-liner. Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | ForEach-Object { $null = certutil -v -store my $_.Thumbprint | Where-Object { $_ -match "\(http.+\.crl\)" }; if (0 -lt $Matches.Count) { $crl = $Matches[0] -replace "[\(\)]", ""; [PSCustomObject] @{ Thumbprint = $_.Thumbprint; NotAfter = $_.NotAfter; Subject = $_.Subject; CRL = $crl; CRLOkay = 400 -gt (Invoke-WebRequest -UseBasicParsing -Method Get -Uri $crl).StatusCode }; } } # The same one-liner from above formatted for easier reading. You can readily copy-and-paste this version into the PowerShell console window if you like. Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | ForEach-Object { $null = certutil -v -store my $_.Thumbprint | Where-Object { $_ -match "\(http.+\.crl\)" }; if (0 -lt $Matches.Count) { $crl = $Matches[0] -replace "[\(\)]", ""; [PSCustomObject] @{ Thumbprint = $_.Thumbprint; NotAfter = $_.NotAfter; Subject = $_.Subject; CRL = $crl; CRLOkay = 400 -gt (Invoke-WebRequest -UseBasicParsing -Method Get -Uri $crl).StatusCode; } } }Output
If you find that CRLOkay is True then my recollection is wrong and I'd have to go away and try to reproduce your timeout before I could attempt to give myself a refresher.
Cheers,
Lain
Open IIS and check the "Default web site" and check if binding and the certificate are there and properly configured.
