This was working a day ago.  What broke it is when I tried to change the OA hostname for our Exchange 2007 setup.  Our users were used to going to webmail.domain.com for all Exchange virtual directories and OA.  When I stood up the Exchange 2013 environment, I named all the virtual directories and OA mail.domain.com.  I wanted to push all webmail.domain.com traffic to Exchange 2013, and I did so externally a month ago.  No problems.  Everything worked with a simple CNAME to mail.domain.com.

The problem started when I wanted to do the same thing internally.  I renamed all the Exchange 2007 virtual directories and OA to legacywebmail.domain.com.  I created an A/PTR record in DNS pointing to NLB that used to host webmail.domain.com, changed the NLB name, deleted the A/PTR for webmail.domain.com, and then CNAMED webmail.domain.com to mail.domain.com.

External OA broke.  Everything else worked (EAS/EWS).  I tried backing out of the changes, and OA is still broken.  It looks like it breaks when Exchange 2013 is proxying to Exchange 2007.  I get a "RPC Proxy Can't Be Pinged - An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN)." error message.  The traffic comes in through my TMG, hits 2013, and stops dead there.  

The thing is that this WAS working prior to the changes, it broke when the changes were made, and now that the changes were reverted, it's still broken.  EWS and EAS continue to function without issue. If I force clients through legacywebmail.domain.com, they work. 

Look at the Outlook Anywhere settings on the Exchange 2007 server.  It appears that the proxy isn't working properly.

Thanks, Ed.  But specifically what would I look at?  Get-outlookanywhere and the RPC directory in IIS, look like they always have. 

Also, if the issue was on the 2007 end, would direct OA connections still work?  I've taped a solution together through DNS to allow 2007 users to directly hit the 2007 CAS servers, and that works.  It's just that proxying through 2013 does not work?

Apparently that is the case.  You might want to look at the IIS logs for clues.

Pretty sure I resolved this.  Thanks.

Pretty sure I resolved this.  Thanks.

Please share the solution to help others.

Thanks.

Despite having the NTLM and Basic auth providers specified for my 2007 CAS servers when looking via get-outlookanywhere in the Exchange 2013 shell (internal authmethod NTLM/External Basic), I went into IIS and checked authentication there for the RPC directory.  NTLM was disabled.  I enabled it there.  Everything started working instantly.  I'm not sure if this is a bug since 2007 was simpler, and we use Basic auth for OA.  The internal auth method was introduced with 2013, it defaulted to NTLM, and I set the IIS auth methods for the 2007 CAS servers via the 2013 shell.  Strange that it didn't cause an issue until post-OA extername hostname change.  

Despite having the NTLM and Basic auth providers specified for my 2007 CAS servers when looking via get-outlookanywhere in the Exchange 2013 shell (internal authmethod NTLM/External Basic), I went into IIS and checked authentication there for the RPC directory.  NTLM was disabled.  I enabled it there.  Everything started working instantly.  I'm not sure if this is a bug since 2007 was simpler, and we use Basic auth for OA.  The internal auth method was introduced with 2013, it defaulted to NTLM, and I set the IIS auth methods for the 2007 CAS servers via the 2013 shell.  Strange that it didn't cause an issue until post-OA extername hostname change.  

Thanks for sharing.  Glad you got it sorted out.