We help IT Professionals succeed at work.

Exchange 2003 - Firewall logs Port 6004 Outbound

MarkMichael
MarkMichael asked
on
612 Views
Last Modified: 2016-05-17
Hi Experts,

We have an Exchange 2003 environment and we have firewall logs filling up with denies from some of the Exchange 2003 servers showing connection attempts to remote servers in the LAN on UDP 6004.

Over the last month or so, another team has introduced an Exchange 2010 servers, to allow them to move to Office 365.

There's no correlation between the destination IP of the connection and the Exchange 2010 servers either.

Any ideas why these servers have started to attempt to connect to other devices on 6004?
Comment
Watch Question

Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
That port is used for RPC (RPC via HTTPS or Outlook Anywhere as it is known in Exchange 2007 and up).

Are you using a Front-End / Back-End environment with multiple back-end servers?

Author

Commented:
Yep, thats right.

We have several back ends and several front ends for Exchange 2003.

This has been set up like this for a few years and the firewall logs have only recently started getting huge, with all these additional denies in it. I'm curious to figure out what could have changed to start this...

This is an example of the firewall log:

08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24474 dst inter:10.181.16.20/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24473 dst inter:10.172.232.20/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24472 dst inter:10.45.157.252/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24469 dst inter:10.173.50.248/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24468 dst inter:10.243.34.35/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]
08/01/2014 10:42:15:FWSM-4-106023: Deny udp src exchange:10.45.140.22/24467 dst inter:10.45.156.20/6004 by access-group "acl-exchange" [0x70dc7886, 0x0]

Open in new window

Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
The 10.45.140.22 is one of the backend servers.


The addresses: 10.181.16.20 / 10.172.232.20 / 10.45.157.252 / 10.173.50.248 / 10.243.34.35 - are all Workstations of users from around the globe in different offices.
Co-Owner
CERTIFIED EXPERT
Top Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Cheers for the link.

I understand both ways would be required to allow the connection to have 2 way communications between a frontend and backend server (between RPC Proxy and DSProxy).

Although the connection appears to be being initiated from the Exchange server, to these workstations, which I find concerning, as Outlook surely wouldn't be listening on UDP 6004 anyway?

Thanks for your help Alan,

Cheers, Mark

Ps. I'm getting confirmation whether these machines are configured for RPC over HTTP.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.