Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Outbound HTTP/HTTPS Traffic from Exchange Server

Posted on 2014-04-14
11
Medium Priority
?
412 Views
Last Modified: 2014-05-08
Out network team is advising they are seeing a lot of http/https traffic sourced from our Exchange server.  Shouldn't there only be SMTP traffic coming from the Exchange server?  What would cause http/https traffic being sourced from our Exchange server (Mailbox,Hub,Cas role) Is this normal?
0
Comment
Question by:fireguy1125
  • 5
  • 5
11 Comments
 
LVL 5

Expert Comment

by:Metaltree
ID: 39999429
Most likely stateful traffic from Client Access Services. (OWA/phones/Outlook Anywhere/etc)
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999685
Outlook Anywhere and ActiveSync are both HTTPS based protocols, as well as OWA.
It could also be downloads of third party updates (AV, Anti-spam etc). Exchange is built on web services, so even internally you will see a lot of web traffic - Offline Address Book, Availability, Autodiscover etc.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999733
This is traffic sourcing from the exchange server IPs to public websites, some inappropriate/malicious.  Wondering how I can duplicate this so we know how this occurs.

For example, I see that if I copy the hyperlink that is within an OWA email, it changes it to a redirect link from Exchange. I thought this may be the cause, however after testing it was not appearing from the Exchange server IPs, but actually my local workstation IP.

For example, a link to www.experts-exchange.com would appear as:

https://mail.mycompany.com/owa/redir.aspx?C=y_z-XS2qgHyooPlDs7SIVeqaUlyiK9EI56YM__E0LJ7TUVF0uV7WUxJeXJtg6RS2LXGQIp7zPz8.&URL=http%3a%2f%2fwww.experts-exchange.com


Any other thoughts how I can duplicate this issue?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999765
If a user opens a message, then it doesn't go through Exchange, it just redirects, which is a safety measure within OWA. Has someone been browsing from the Exchange server? Look in the event viewer for any IP address conflict - I have seen users try and take a server's address so they can browse locations they shouldn't normally be able to access.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999944
Thanks. No IP conflicts, also had networking confirm IP/MAC match to the Exchange server. Nobody is browsing the web on the server itself.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000305
I don't mean actively browsing, but has done in the past - that is how malware usually gets on to a workstation. If it is browsing suspicious sites then it could be an add-clicker bot.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40001447
I ran a full AV scan/and MalwareBytes scan on the server and yielded negative results. I shouldn't say all sites are suspicious, most are legitimate, company work-related, but some are considered suspicious.  We're just wondering how the traffic to these websites is showing as originating from the Exchange server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40004459
If no one is browsing from the server then you shouldn't be seeing any traffic coming from it at all. Go through the web services configuration, see if someone has installed a proxy server or something on the machine.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40018265
I just did, and this does not appear to be the case.  Would there be any impact to the exchange environment if disabling outbound http/https traffic from all the exchange hub/cas/mb servers?

screenshot
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40018521
If you disable that traffic then you will lose ActiveSync, OWA and Outlook Anywhere.
Can the network team see the traffic in real time? If so, I would arrange some downtime so that you can test a few things - such as shutting down Exchange, IIS and the entire server, to see if the traffic continues.

Simon.
0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 40051711
Thanks for your feedback and advice. Once we test i'll post feedback.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question