Solved

Outbound HTTP/HTTPS Traffic from Exchange Server

Posted on 2014-04-14
11
400 Views
Last Modified: 2014-05-08
Out network team is advising they are seeing a lot of http/https traffic sourced from our Exchange server.  Shouldn't there only be SMTP traffic coming from the Exchange server?  What would cause http/https traffic being sourced from our Exchange server (Mailbox,Hub,Cas role) Is this normal?
0
Comment
Question by:fireguy1125
  • 5
  • 5
11 Comments
 
LVL 5

Expert Comment

by:Metaltree
ID: 39999429
Most likely stateful traffic from Client Access Services. (OWA/phones/Outlook Anywhere/etc)
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999685
Outlook Anywhere and ActiveSync are both HTTPS based protocols, as well as OWA.
It could also be downloads of third party updates (AV, Anti-spam etc). Exchange is built on web services, so even internally you will see a lot of web traffic - Offline Address Book, Availability, Autodiscover etc.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999733
This is traffic sourcing from the exchange server IPs to public websites, some inappropriate/malicious.  Wondering how I can duplicate this so we know how this occurs.

For example, I see that if I copy the hyperlink that is within an OWA email, it changes it to a redirect link from Exchange. I thought this may be the cause, however after testing it was not appearing from the Exchange server IPs, but actually my local workstation IP.

For example, a link to www.experts-exchange.com would appear as:

https://mail.mycompany.com/owa/redir.aspx?C=y_z-XS2qgHyooPlDs7SIVeqaUlyiK9EI56YM__E0LJ7TUVF0uV7WUxJeXJtg6RS2LXGQIp7zPz8.&URL=http%3a%2f%2fwww.experts-exchange.com


Any other thoughts how I can duplicate this issue?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999765
If a user opens a message, then it doesn't go through Exchange, it just redirects, which is a safety measure within OWA. Has someone been browsing from the Exchange server? Look in the event viewer for any IP address conflict - I have seen users try and take a server's address so they can browse locations they shouldn't normally be able to access.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999944
Thanks. No IP conflicts, also had networking confirm IP/MAC match to the Exchange server. Nobody is browsing the web on the server itself.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000305
I don't mean actively browsing, but has done in the past - that is how malware usually gets on to a workstation. If it is browsing suspicious sites then it could be an add-clicker bot.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40001447
I ran a full AV scan/and MalwareBytes scan on the server and yielded negative results. I shouldn't say all sites are suspicious, most are legitimate, company work-related, but some are considered suspicious.  We're just wondering how the traffic to these websites is showing as originating from the Exchange server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40004459
If no one is browsing from the server then you shouldn't be seeing any traffic coming from it at all. Go through the web services configuration, see if someone has installed a proxy server or something on the machine.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40018265
I just did, and this does not appear to be the case.  Would there be any impact to the exchange environment if disabling outbound http/https traffic from all the exchange hub/cas/mb servers?

screenshot
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40018521
If you disable that traffic then you will lose ActiveSync, OWA and Outlook Anywhere.
Can the network team see the traffic in real time? If so, I would arrange some downtime so that you can test a few things - such as shutting down Exchange, IIS and the entire server, to see if the traffic continues.

Simon.
0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 40051711
Thanks for your feedback and advice. Once we test i'll post feedback.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question