Earlier this week, I was moving one of our Exchange 2013 servers from Trend Micro WFBS Exchange Agent (or Messaging Security Agent) over to their ScanMail for Exchange product.
The first part of this was to uninstall the Trend Micro Message Security Agent, which I did via the Control Panel.
This appeared to go according to plan, and I was not expecting any downtime on my Exchange server from the users perspective. I did expect it to restart the Exchange Transport Services, as the MSA integrates into Exchange via those services.
A few minutes into the install, all my users reported Exchange was offline for them. I left it until the uninstall was completed before investigating and found that nothing could connect to Exchange. I rebooted the Exchange server and still nothing could connect.
I found that when I attempted to access Exchange via the ECP or OWA, that right after the login screen, I got a blank screen.
I checked the event logs and found further that we had event ID 15021 with a source of HTTPEVENT in the system logs as below.
I little digging into this further and I found this excellent blog post that helped me resolve the issue.
Basically – the SSL certificate bindings got messed up with the removal of the Trend Micro WFBS Messaging Security Agent. Whats interesting is that as unlike the blog post, I actually had something showing on port 444, but the certificate hash and application ID were different to those on the 127.0.0.1:443 entry. I proceeded to fix it as per the blog post and we were back up and running after an IISRESET.
I’ve not seen this ever before on an Exchange server even though I’ve removed and reinstalled WFBS MSA many times over the years, so I can only deduce that this issue was a once of for our environment.