I have spent some time troubleshooting an alert from SCOM that ActiveSync was not working on all Exchange 2010 servers in an environment. The environment is currently in co-existence with Exchange 2016, with all client access services already pointed to 2016. Running the Test-ActiveSyncConnectivity cmdlet returned the following result:
[PS] C:\Windows\system32>Test-ActiveSyncConnectivity -TrustAnySSLCertificate:$true | fl ... ClientAccessServer : ex2010s001.domain.local Scenario : Options ScenarioDescription : Issue an HTTP OPTIONS command to retrieve the Exchange ActiveSync protocol version. PerformanceCounterName : DirectPush Latency Result : Failure Error : [System.Net.WebException]: The remote server returned an error: (403) Forbidden. HTTP response headers: X-BEServerRoutingError: ex2010s001.domain.local Content-Length: 5232 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Tue, 13 Mar 2018 15:08:37 GMT Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET UserName : extest_144ce5a2f8a74 ...
The odd thing was that we had no users complaining about a loss in service, and everything seemed to be working from a client side.
It turned out that the extest_144ce5a2f8a74 account had been migrated to an Exchange 2016 mailbox server. Moving the mailbox back to an Exchange 2010 mailbox server allowed the probe to succeed.
This is because Exchange can only proxy to previous versions of Exchange, and not newer versions. For more information on 2016/2010 co-existence, see the following Exchange blog post.