?
Solved

Outbound HTTP/HTTPS Traffic from Exchange Server

Posted on 2014-04-14
11
Medium Priority
?
409 Views
Last Modified: 2014-05-08
Out network team is advising they are seeing a lot of http/https traffic sourced from our Exchange server.  Shouldn't there only be SMTP traffic coming from the Exchange server?  What would cause http/https traffic being sourced from our Exchange server (Mailbox,Hub,Cas role) Is this normal?
0
Comment
Question by:fireguy1125
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 5

Expert Comment

by:Metaltree
ID: 39999429
Most likely stateful traffic from Client Access Services. (OWA/phones/Outlook Anywhere/etc)
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999685
Outlook Anywhere and ActiveSync are both HTTPS based protocols, as well as OWA.
It could also be downloads of third party updates (AV, Anti-spam etc). Exchange is built on web services, so even internally you will see a lot of web traffic - Offline Address Book, Availability, Autodiscover etc.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999733
This is traffic sourcing from the exchange server IPs to public websites, some inappropriate/malicious.  Wondering how I can duplicate this so we know how this occurs.

For example, I see that if I copy the hyperlink that is within an OWA email, it changes it to a redirect link from Exchange. I thought this may be the cause, however after testing it was not appearing from the Exchange server IPs, but actually my local workstation IP.

For example, a link to www.experts-exchange.com would appear as:

https://mail.mycompany.com/owa/redir.aspx?C=y_z-XS2qgHyooPlDs7SIVeqaUlyiK9EI56YM__E0LJ7TUVF0uV7WUxJeXJtg6RS2LXGQIp7zPz8.&URL=http%3a%2f%2fwww.experts-exchange.com


Any other thoughts how I can duplicate this issue?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999765
If a user opens a message, then it doesn't go through Exchange, it just redirects, which is a safety measure within OWA. Has someone been browsing from the Exchange server? Look in the event viewer for any IP address conflict - I have seen users try and take a server's address so they can browse locations they shouldn't normally be able to access.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999944
Thanks. No IP conflicts, also had networking confirm IP/MAC match to the Exchange server. Nobody is browsing the web on the server itself.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000305
I don't mean actively browsing, but has done in the past - that is how malware usually gets on to a workstation. If it is browsing suspicious sites then it could be an add-clicker bot.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40001447
I ran a full AV scan/and MalwareBytes scan on the server and yielded negative results. I shouldn't say all sites are suspicious, most are legitimate, company work-related, but some are considered suspicious.  We're just wondering how the traffic to these websites is showing as originating from the Exchange server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40004459
If no one is browsing from the server then you shouldn't be seeing any traffic coming from it at all. Go through the web services configuration, see if someone has installed a proxy server or something on the machine.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40018265
I just did, and this does not appear to be the case.  Would there be any impact to the exchange environment if disabling outbound http/https traffic from all the exchange hub/cas/mb servers?

screenshot
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40018521
If you disable that traffic then you will lose ActiveSync, OWA and Outlook Anywhere.
Can the network team see the traffic in real time? If so, I would arrange some downtime so that you can test a few things - such as shutting down Exchange, IIS and the entire server, to see if the traffic continues.

Simon.
0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 40051711
Thanks for your feedback and advice. Once we test i'll post feedback.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question