Solved

Exchange 2003 - Firewall logs Port 6004 Outbound

Posted on 2014-01-08
7
343 Views
Last Modified: 2016-05-17
Hi Experts,

We have an Exchange 2003 environment and we have firewall logs filling up with denies from some of the Exchange 2003 servers showing connection attempts to remote servers in the LAN on UDP 6004.

Over the last month or so, another team has introduced an Exchange 2010 servers, to allow them to move to Office 365.

There's no correlation between the destination IP of the connection and the Exchange 2010 servers either.

Any ideas why these servers have started to attempt to connect to other devices on 6004?
0
Comment
Question by:MarkMichael
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39764772
That port is used for RPC (RPC via HTTPS or Outlook Anywhere as it is known in Exchange 2007 and up).

Are you using a Front-End / Back-End environment with multiple back-end servers?
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 39764778
Yep, thats right.

We have several back ends and several front ends for Exchange 2003.

This has been set up like this for a few years and the firewall logs have only recently started getting huge, with all these additional denies in it. I'm curious to figure out what could have changed to start this...

This is an example of the firewall log:

08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24474 dst inter:10.181.16.20/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24473 dst inter:10.172.232.20/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24472 dst inter:10.45.157.252/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24469 dst inter:10.173.50.248/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24468 dst inter:10.243.34.35/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24467 dst inter:10.45.156.20/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]

Open in new window

0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 39764832
So presumably your front end server is 10.445.140.22 and the backends are 10.181.16.20 / 10.172.232.20 / 10.45.157.252 / 10.173.50.248 / 10.243.34.35.

If that is the case, I would allow the port as it is internal and needed for RPC to work happily.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 15

Author Comment

by:MarkMichael
ID: 39764861
The 10.45.140.22 is one of the backend servers.


The addresses: 10.181.16.20 / 10.172.232.20 / 10.45.157.252 / 10.173.50.248 / 10.243.34.35 - are all Workstations of users from around the globe in different offices.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39764864
Ah - okay.  Are the client computers configured using RPC over HTTPS?

If they are, then they will need to communicate with the server.

Have a read of the technical description on this page for info:

http://www.pc-library.com/ports/tcp-udp-port/6004/
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 39765459
Cheers for the link.

I understand both ways would be required to allow the connection to have 2 way communications between a frontend and backend server (between RPC Proxy and DSProxy).

Although the connection appears to be being initiated from the Exchange server, to these workstations, which I find concerning, as Outlook surely wouldn't be listening on UDP 6004 anyway?

Thanks for your help Alan,

Cheers, Mark

Ps. I'm getting confirmation whether these machines are configured for RPC over HTTP.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Find out what you should include to make the best professional email signature for your organization.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question