On-premise migration firewall gotchas

When migrating to and from on-premise environments (usually smaller organizations), we hit issues with firewalls thinking that we are a denial of service (DoS) attack. I say smaller organizations because usually the firewall is configured with default settings which is very conservative.

If your migration is running slow (meaning one or no items migrating each minute), it’s most likely that your firewall is dropping our connections and denying us access. You may also see errors in the error log relating to connection problems.

Here are some tips on resolving these issues:

• Ensure that the connection limit is set to at least the number of simultaneous migrations you are performing.
• Ensure that the number of TCP/HTTP requests is set to a high value. The number of request vary depending on the connector type in addition to the bandwidth and latency. For example, 10 transactions per second per mailbox equates to 600,000 transactions per minute for 1000 simultaneous mailboxes.

Unfortunately we don’t have any mechanism to tell you what IP addresses your migrations are coming from. We have migrations servers deployed worldwide and you may be getting one of hundreds of IP addresses that are allocated across different blocks. The good news is that most likely your migration will come from multiple IP addresses so we may not hit your connection/request limits since those are per IP address.