[2019] Cannot get Mitigation to connect
I have 4 Exchange servers in 4 geographical locations, each behind its own firewall, half Sophos SG and half Fortigate (ongoing migration from Sophos to Forti). On all 4 of them, I cannot connect to the Mitigation service.
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\Test-MitigationServiceConnectivity.ps1
WARNING: Exception calling "FetchMitigations" with "0" argument(s): "One or more errors occurred."
WARNING: One or more errors occurred.
WARNING: Object reference not set to an instance of an object.
Result: Failed.
Message: Unable to connect to the Mitigation Service endpoint from this computer.
To learn about connectivity requirements, see https://aka.ms/HelpConnectivityEEMS
Firewall teams says they don't block anything from the Exchanges to the WWW, nor do SSL inspection. nslookup, ping, invoke-webexpression, ... it all answers the way it should.
Confusingly, the mitigation log shows this:
2026-05-20T15:01:17.777Z,MAILSERVER01,FetchMitigation,S:LogLevel=Information;S:Message=Fetching mitigations from https://officeclient.microsoft.com/getexchangemitigations
2026-05-20T15:01:17.777Z,MAILSERVER01,FetchMitigation,S:LogLevel=Information;S:Message=No diagnostic data sent. DataCollectionEnabled is false
2026-05-20T15:01:17.909Z,MAILSERVER01,FetchMitigation,S:LogLevel=Information;S:Message=Fetching mitigations successful
2026-05-20T15:01:17.909Z,MAILSERVER01,ParseMitigation,S:LogLevel=Information;S:Message=The applicability check for mitigations M1.* failed. Skipping mitigations
2026-05-20T15:01:17.909Z,MAILSERVER01,ApplyMitigation,S:LogLevel=Information;S:Message=Mitigation PING1 is currently applied
2026-05-20T15:01:17.930Z,MAILSERVER01,ApplyMitigation,S:LogLevel=Information;S:Message=Mitigation M2.1.0 is currently applied
I'd have expected some kind of error here.
From the firewall logs, manually connecting to https://officeclient.microsoft.com/getexchangemitigations works, but it shows no traffic when executing Get-Mitigations or Test-MitigationServiceConnectivity. So it seems the problem is local.
Finally I looked at Microsoft's script and went through it line by line
[PS] C:\>$mcs = $mcsfType.GetMethod('CreateService').Invoke($null, Microsoft.Exchange.Mitigation.Service.Common.ServiceType]::CloudServiceV2)
[PS] C:\>$mitigations = $mcs.FetchMitigations()
Exception calling "FetchMitigations" with "0" argument(s): "One or more errors occurred."
At line:1 char:1
+ $mitigations = $mcs.FetchMitigations()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : AggregateException
Diving deeper:
[PS] C:\>$error[0].exception.tostring()
System.Management.Automation.MethodInvocationException: Exception calling "FetchMitigations" with "0" argument(s): "One or more errors occurred." ---> System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Exchange.Mitigation.Service.Common.Utils.PrepareRequest(X509Certificate clientAuthCert)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.<GetHttpUrlResponseAsync>d__4.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at Microsoft.Exchange.Mitigation.Service.Common.Utils.FetchMitigationsFromUrl[T](String url, X509Certificate clientAuthCert, Boolean isResponseJson)
at Microsoft.Exchange.Mitigation.Service.MitigationCloudServiceV2.FetchMitigations()
at CallSite.Target(Closure , CallSite , Object )
--- End of inner exception stack trace ---
at System.Management.Automation.ExceptionHandlingOps.ConvertToMethodInvocationException(Exception exception, Type typeToThrow, String methodName, Int32 numArgs, MemberInfo memberInfo)
at CallSite.Target(Closure , CallSite , Object )
at System.Dynamic.UpdateDelegates.UpdateAndExecute1[T0,TRet](CallSite site, T0 arg0)
at System.Management.Automation.Interpreter.DynamicInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
EDIT for future reference (relevant XKCD): apparently it is not enough to be able to reach the address, it also needs to be pingable. As soon as we allowed ping to WAN, and restarted the console, it worked.