Solved

Outbound HTTP/HTTPS Traffic from Exchange Server

Posted on 2014-04-14
11
395 Views
Last Modified: 2014-05-08
Out network team is advising they are seeing a lot of http/https traffic sourced from our Exchange server.  Shouldn't there only be SMTP traffic coming from the Exchange server?  What would cause http/https traffic being sourced from our Exchange server (Mailbox,Hub,Cas role) Is this normal?
0
Comment
Question by:fireguy1125
  • 5
  • 5
11 Comments
 
LVL 5

Expert Comment

by:Metaltree
ID: 39999429
Most likely stateful traffic from Client Access Services. (OWA/phones/Outlook Anywhere/etc)
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999685
Outlook Anywhere and ActiveSync are both HTTPS based protocols, as well as OWA.
It could also be downloads of third party updates (AV, Anti-spam etc). Exchange is built on web services, so even internally you will see a lot of web traffic - Offline Address Book, Availability, Autodiscover etc.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999733
This is traffic sourcing from the exchange server IPs to public websites, some inappropriate/malicious.  Wondering how I can duplicate this so we know how this occurs.

For example, I see that if I copy the hyperlink that is within an OWA email, it changes it to a redirect link from Exchange. I thought this may be the cause, however after testing it was not appearing from the Exchange server IPs, but actually my local workstation IP.

For example, a link to www.experts-exchange.com would appear as:

https://mail.mycompany.com/owa/redir.aspx?C=y_z-XS2qgHyooPlDs7SIVeqaUlyiK9EI56YM__E0LJ7TUVF0uV7WUxJeXJtg6RS2LXGQIp7zPz8.&URL=http%3a%2f%2fwww.experts-exchange.com


Any other thoughts how I can duplicate this issue?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999765
If a user opens a message, then it doesn't go through Exchange, it just redirects, which is a safety measure within OWA. Has someone been browsing from the Exchange server? Look in the event viewer for any IP address conflict - I have seen users try and take a server's address so they can browse locations they shouldn't normally be able to access.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999944
Thanks. No IP conflicts, also had networking confirm IP/MAC match to the Exchange server. Nobody is browsing the web on the server itself.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000305
I don't mean actively browsing, but has done in the past - that is how malware usually gets on to a workstation. If it is browsing suspicious sites then it could be an add-clicker bot.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40001447
I ran a full AV scan/and MalwareBytes scan on the server and yielded negative results. I shouldn't say all sites are suspicious, most are legitimate, company work-related, but some are considered suspicious.  We're just wondering how the traffic to these websites is showing as originating from the Exchange server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40004459
If no one is browsing from the server then you shouldn't be seeing any traffic coming from it at all. Go through the web services configuration, see if someone has installed a proxy server or something on the machine.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40018265
I just did, and this does not appear to be the case.  Would there be any impact to the exchange environment if disabling outbound http/https traffic from all the exchange hub/cas/mb servers?

screenshot
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40018521
If you disable that traffic then you will lose ActiveSync, OWA and Outlook Anywhere.
Can the network team see the traffic in real time? If so, I would arrange some downtime so that you can test a few things - such as shutting down Exchange, IIS and the entire server, to see if the traffic continues.

Simon.
0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 40051711
Thanks for your feedback and advice. Once we test i'll post feedback.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question