OWA in Exchange 2016

I recently upgraded a site from Exchange 2010 to Exchange 2016. Replacing the edge transport server was pretty straightforward, but the mailbox server was more tricky, particularly when it came to “Outlook on the Web” (formerly known as OWA).

In brief, you need to make sure that you install all the available updates for Exchange 2016. It’s not enough just to install the RTM (Release To Manufacturing) edition and then download all the patches via Windows Update; you also need to manually install the latest Cumulative Update.

I did this as a swing upgrade, so I had two servers:
1) EX2010: Exchange 2010 running on Windows Server 2008 R2.
2) EX2016: Exchange 2016 running on Windows Server 2012 R2.

I then moved one mailbox from EX2010 to EX2016. Running Outlook, everything was fine. When I accessed OWA on EX2010, it prompted me to use EX2016 instead:

OWA 2010

Clicking through to EX2016, I could see all my messages, so that was fine. However, if I tried to open a different mailbox (still stored on EX2010) then I didn’t see anything at all. The URL looked like this:

Checking the page source, it was literally an empty page:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv="Content-Type" 
content="text/html; charset=windows-1252"></HEAD>

So, each server could handle its own mailboxes but they couldn’t handle each others. It’s understandable that Exchange 2010 wouldn’t know about a “future version”, but Exchange 2016 is supposed to be backwards compatible. The problem here is that I want to keep a standard URL (https://owa.example.com/owa) and then redirect it to the appropriate server, so none of the end users need to change their bookmarks.

If you can move all your mailboxes to the new server in one go (e.g. on a Friday night) then this may not be a problem for you. However, if you are doing a gradual migration then there are more steps involved.

Looking online, some people mentioned IIS bindings. When you issue a certificate to the server, you then have to run a cmdlet in Exchange Management Shell, eg:
Enable-ExchangeCertificate -Services IIS, SMTP

This updates the bindings for “Default Web Site”, which you can verify in IIS Manager. (Select the site in the left pane, then click “Bindings…” in the right pane.) Exchange 2010 only uses this single site, but Exchange 2016 also uses a second website: “Exchange Back End”. The second site uses port 444 for https, and by default it uses a self-issued certificate (“Microsoft Exchange”).



So, you need to choose your trusted certificate from the drop-down list, then click “OK”/”Close” to get out of these screens.

Once you’ve done that, go to an elevated command prompt (or PowerShell prompt) and run “iisreset”. After that, I was able to view a legacy mailbox, but no images loaded. When I refreshed the page, it went blank again.


After I created an SPN record for the Exchange 2016 server (and new rules on the firewall server), I was able to access my email remotely using a separate FQDN. Interestingly, I could access 2010 and 2016 mailboxes via ActiveSync when I connected to the 2016 server; the problem only applies to OWA.

Checking Event Viewer on the 2016 server, I kept seeing a particular warning. The category was always the same:

Log Name: Application
Source: MSExchange Front End HTTP Proxy
Event ID: 3005
Level: Warning

The description varied slightly, for 3 different folders:

[Autodiscover] Marking ClientAccess 2010 server EX2010.example.com (https://ex2010.hmrlondon.com/Autodiscover) as unhealthy due to exception: System.Net.WebException: The operation has timed out
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

[Ecp] Marking ClientAccess 2010 server EX2010.example.com (https://ex2010.hmrlondon.com/ecp) as unhealthy due to exception: System.Net.WebException: The operation has timed out
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

[Owa] Marking ClientAccess 2010 server EX2010.example.com (https://ex2010.hmrlondon.com/owa) as unhealthy due to exception: System.Net.WebException: The operation has timed out
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

So, this applied to Autodiscover, Ecp, and Owa. It didn’t apply to Microsoft-Server-ActiveSync, which may explain why that worked ok.


I changed the certificate bindings back to how they were before, then ran iisreset.exe on the Exchange 2016 server again. After that, I was able to view the specific 2010 mailbox in OWA. However, a different 2010 mailbox still gave me a blank page.


I checked the Outlook Anywhere settings on each server, using the Exchange Management Shell.

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl Identity, *auth*
Creating a new session for implicit remoting of "Get-OutlookAnywhere" command...

Identity                           : Ex2010\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Ntlm}

Identity                           : EX2016\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

(The warnings in Event Viewer didn’t refer to the Rpc folder.)

Running IIS Manager on the Exchange 2010 server, I selected ‘Default Web Site\Rpc’ in the left pane and double-clicked ‘Authentication’ in the middle pane. I then selected ‘Windows Authentication’ and clicked ‘Providers…’ in the right pane. This listed Negotiate and NTLM (in that order). The drop-down list at the bottom said that Negotiate:Kerberos was also available, but I wasn’t using that at all. I changed the order to put NTLM at the top, then ran iisreset.exe at an elevated PowerShell prompt.
NB This will cause a brief period of downtime. On my server, it was about 30 seconds, but you’ll need to decide whether to wait for a scheduled maintenance window.


Apparently you can install the latest Cumulative Update from scratch, rather than installing the RTM version and then updating it. However, I haven’t tried that so I can’t personally confirm that it works.

Upgrading Cisco Unity Express

I recently upgraded an NME-CUE (Cisco Unity Express Enhanced Network Module) from version 3.2.1 to 8.6.7. This module was moving from a 3845 router (running CUCME 7.1) to a 3945 router (running CUCME 10.5), so these versions match the compatibility matrix. On the whole, this went fairly smoothly, but there are a couple of issues to be aware of.

In brief, there were 4 main steps:

  1. Backup the current configuration and data.
  2. Download and install the upgrade package.
  3. Migrate licences to CSL.
  4. Sort out the Message Waiting Indicator (MWI).

Continue reading “Upgrading Cisco Unity Express”

Native IPv6 in dd-wrt

As I mentioned in a previous post, I installed dd-wrt (kernel 2.6, VOIP, build 14896) on my wireless router (Linksys WRT320N), which connected to a VDSL modem using PPPoE. After that, it worked fine for IPv4, so I had the same functionality as the original Linksys firmware. However, the purpose of the exercise was to get IPv6 support: this turned out to be easier said than done. I was eventually able to get it working, so if you only want the short answer and aren’t interested in all the troubleshooting steps that I went through, scroll down to the Conclusion section at the bottom of this post.

Please refer to my IPv6 router post to get an overview of what I’m trying to achieve here. Most of the documentation that I’ve found assumes that you’re using a tunnel: this is similar to a proxy server, where you have an IPv4 connection to a machine on the internet, then that machine connects to your real destination using IPv6. However, I have native IPv6 connectivity from my ISP.

Continue reading “Native IPv6 in dd-wrt”

IPv6 router

As I’ve mentioned before, I switched my home ISP to A&A so that I could get IPv6 on my internet connection. That gave me 2 pieces of the puzzle (OS support and internet connection), but I still needed to sort out my network infrastructure, specifically my router. This post says what I’m trying to achieve, and it would apply to any router, regardless of the hardware/software involved. I’ll save the details of how I actually went about it for other posts, which are specific to the particular equipment.

On the client side, this should all be invisible. Someone should be able to turn up with a suitable device (e.g. an iPad or a laptop running Windows) and automatically get IPv6 internet access without having to do anything extra. They may have to type in the key for the wireless network, but that’s the same for IPv4 and IPv6. Similarly, they shouldn’t notice whether they’re accessing a particular site (e.g. Facebook) over IPv4 or IPv6; the only visible difference should be that IPv6-only sites (e.g. Loops of Zen) are now available, whereas they weren’t before. I’ve bought an iPad app to help me with my testing (IPv6 Toolkit) but that’s just a diagnostic tool and you don’t need it to actually use IPv6. In fact, as of IOS 9, it’s a requirement for all iPad apps to support IPv6.

On the router side, I want feature parity between IPv4 and IPv6 (where it makes sense). For instance, NAT (Network Address Translation) is a necessary evil in IPv4 and I’ll be glad to see the back of it, so I don’t want an IPv6 equivalent (NAT66). However, if a router says that it supports IPv6 and PPPoE then I expect it to support IPv6 over PPPoE. I also expect to be able to ping IPv6 addresses; I’d prefer to use the same command (ping) for both IPv4 and IPv6, but I don’t mind if I have to use separate commands (e.g. ping6 in Red Hat Enterprise Linux 5) as long as the functionality is built in.

I would like to have some kind of firewall built into the router (e.g. ip6tables), but that’s not essential; if necessary, I’m willing to use a separate device for that.

When I set up a router for an IPv4 xDSL (ADSL/VDSL) internet connection, I don’t have to type in the public IPv4 address: that comes from the ISP. In a similar way, I would like an IPv6 router to pick up the equivalent IPv6 address range automatically. However, if I have to type in the router’s IPv6 address manually then I can live with that; this is just a one-off job until I change my internet connection, rather than something I’d have to do on a daily basis.

Continue reading “IPv6 router”

VDSL modem

Back in 2011, I had VDSL installed in my flat. As part of the installation, the BT engineer replaced the faceplate on my master phone socket and also supplied me with a new modem:

Modem 1

Earlier this year, the modem developed a fault and I couldn’t get online. Annoyingly, this happened on a Friday evening, so A&A’s tech support had closed for the weekend. I got in touch with them on Monday morning, then BT sent someone out on Tuesday morning and I was back online by 09:30. So, I didn’t have internet access for 3½ days, but if the same problem happened midweek then presumably it would be resolved more quickly.

Continue reading “VDSL modem”


In 2007, I passed CompTIA’s A+ exams; that gave me a qualification which is valid for life. In April 2012, I enrolled in the CE (Continuing Education) program. In April 2015, I passed the Network+ exam, which gave me the Network+ ce qualification (valid for 3 years). Since I was within the deadline, I could also use this exam to get the A+ ce qualification, but that involved navigating CompTIA’s website: this blog post explains how to do it, since they haven’t made it obvious.

My main concern was that I’d cut it quite close with the timings. I took the Network+ exam on 2015-04-24, and the deadline for A+ ce was 2015-04-26. When I got the printed report after the Network+ exam, it said: “Please allow five business days for your CompTIA web record to be updated with exam results.” So, if the website didn’t process my results until after the deadline had passed, would I still be ok? Also, I took the exam on Friday and my deadline was Sunday, so I had less than 1 working day. However, it was all fine so if you’re in a similar situation then don’t worry about it.

Continue reading “CompTIA CE”


Last month, I took the Certified Wireless Technology Specialist (CWTS) exam. This is issued by CWNP, who are similar to CompTIA, i.e. it’s a vendor-neutral exam rather than being based around specific technology (e.g. Cisco access points).

The CWNP website says: “The CWTS certification validates the knowledge of enterprise WLAN sales and support professionals who must be familiar and confident with the terminology and basic functionality of enterprise 802.11 wireless networks.” Similarly, when I booked the exam on the Pearson Vue website, they list it as: “PW0-071: Certified Wireless Technology Specialist – Sales (CWTS)”. This exam isn’t a pre-requisite for any of the higher qualifications, so you could start with the CWNA instead (“the foundation level enterprise Wi-Fi certification for the CWNP Program”). As I understand it, the main difference between the CWTS and the CWNA is “what vs. how”, although I don’t really know enough about the CWNA yet to comment in detail.

Having said that, I learnt a lot by preparing for this exam, and I think there is quite a bit of technical detail in here. For instance, here’s section 3.6 of the exam objectives:

Understand and apply basic RF antenna concepts

  • Passive Gain
  • Beamwidth
  • Simple diversity
  • Polarization

I think there are a lot of IT professionals who would struggle to define all of those terms. Similarly, here’s one of the sample questions from the start of the textbook:

What can contribute to voltage standing wave ratio (VSWR) in an IEEE 802.11g wireless LAN circuit?

  1. Output power of the access point
  2. Impedance mismatch
  3. Gain of an antenna
  4. Attenuation value of cable

So, this is a bit more involved than just saying “Buy a wireless router and plug it in at home”!

Continue reading “CWTS”

Installing dd-wrt on a Linksys WRT320N wireless router

Back in 2011 I switched ISPs to A&A, primarily because they support native IPv6. Incidentally, 3 years on I see that you still can’t get IPv6 from Zen, so I made the right choice by switching.

Windows has had IPv6 support included by default since 2006 (i.e. Vista onwards), so the missing piece of the puzzle was my wireless router (a Linksys WRT320N). Unfortunately, the built-in firmware doesn’t support IPv6. (Source: Linksys devices that support IPv6.)

So, I investigated open source alternatives. There are a few different firmware projects out there, which all seem to be based on Linux. According to the OpenWRT wiki, it isn’t supported on the WRT320N. However, the WRT320 is listed in the dd-wrt router database, so I chose that instead. JP Hellemons wrote about this in 2010 (How I upgraded my Linksys WRT320N to DD-WRT v24); he also checked Tomato and HyperWRT, and neither of those were compatible. However, apparently the NoUSB edition of Tomato USB does does support the WRT320N.

Just to forewarn anyone else who’s in a similar position, this isn’t a simple process. Here’s a good (valid) rant about how complex it is. I heard a good phrase a while ago: “Open source software is only free if your time is worthless.” I.e. if you assume that your time is valuable, consider how long it will take you to get a system working. Is it worth paying money to save yourself some time? For instance, in this case I could replace my router with a different model that has IPv6 support built in. (You will still need to invest some time in learning any system, but maybe you could reduce that from a day to an hour.)

In brief, I (eventually) got the router working fine with dd-wrt over IPv4. IPv6 took a bit longer; I’ve elaborated on that in another post (Native IPv6 in dd-wrt).

Continue reading “Installing dd-wrt on a Linksys WRT320N wireless router”

CompTIA exams

Back in 2007, I passed the CompTIA A+ exams. Since then, there have been a few changes to the way these exams work. Unfortunately, CompTIA haven’t done a very good job of explaining it all; it makes volume licensing seem clear and simple by comparison!

In brief, if you currently have the A+, Network+, or Security+ qualification, you should enroll in the CE program. The deadline for enrollment is 31st December, so there’s not much time left. (If this applies to anyone you know, please pass this info on to them.)

Continue reading “CompTIA exams”