Exchange 2010-2016 coexistence: Why does OWA do a 301 redirect before login

I have an Active Directory domain. We have two on-premises mail servers — one running Exchange 2010 (exchange2010.example.com) and one running Exchange 2016 (exchange2016.example.com). My goal is to migrate from 2010 to 2016, but to have them in coexistence during the transition.

We have a firewall (pfSense) and allow access to OWA using NAT. I have one NAT rule pointing to the Exchange 2010 server and one pointing to Exchange 2016. From the outside, the IP for both servers look the same (since they are both running from the same internet connection), but there are two CNAME entries in external DNS, and the NAT is forwarding two different ports.

Internally, everything works. If I go to https://exchange2016.example.com/owa I get the 2016 OWA login page. I can log in. If the mailbox is on Exchange 2010, OWA proxies and I get 2010 OWA. Otherwise I get the 2016 interface.

Externally, I have the following urls: https://exchange2010.example.com/owa and https://exchange2016.example.com:8443/owa . This is where things get weird.

Say I visit https://exchange2016.example.com:8443/owa . I can see in the firewall logs that the client DOES connect to the Exchange 2016 server. But then there is an immediate 301 redirect to exchange2010.example.com, and I get the OWA login page for Exchange 2010, not Exchange 2016. This happens BEFORE I log in, so OWA does not know anything about where the mailboxes live. The domain name (exchange2016.example.com) stays the same, but I lose the port forward (8443) in the URL.

I can see that there is a redirect in the firewall and IIS logs, but I do not know what is causing it. I have the external URIs in my virtual directories set properly, I think.

Does anybody know what might be happening here? Where should I look for troubleshooting information? I do not feel the port forward is the problem, but I do not know how I would tell.