Solved

Outbound HTTP/HTTPS Traffic from Exchange Server

Posted on 2014-04-14
11
392 Views
Last Modified: 2014-05-08
Out network team is advising they are seeing a lot of http/https traffic sourced from our Exchange server.  Shouldn't there only be SMTP traffic coming from the Exchange server?  What would cause http/https traffic being sourced from our Exchange server (Mailbox,Hub,Cas role) Is this normal?
0
Comment
Question by:fireguy1125
  • 5
  • 5
11 Comments
 
LVL 5

Expert Comment

by:Metaltree
ID: 39999429
Most likely stateful traffic from Client Access Services. (OWA/phones/Outlook Anywhere/etc)
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999685
Outlook Anywhere and ActiveSync are both HTTPS based protocols, as well as OWA.
It could also be downloads of third party updates (AV, Anti-spam etc). Exchange is built on web services, so even internally you will see a lot of web traffic - Offline Address Book, Availability, Autodiscover etc.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999733
This is traffic sourcing from the exchange server IPs to public websites, some inappropriate/malicious.  Wondering how I can duplicate this so we know how this occurs.

For example, I see that if I copy the hyperlink that is within an OWA email, it changes it to a redirect link from Exchange. I thought this may be the cause, however after testing it was not appearing from the Exchange server IPs, but actually my local workstation IP.

For example, a link to www.experts-exchange.com would appear as:

https://mail.mycompany.com/owa/redir.aspx?C=y_z-XS2qgHyooPlDs7SIVeqaUlyiK9EI56YM__E0LJ7TUVF0uV7WUxJeXJtg6RS2LXGQIp7zPz8.&URL=http%3a%2f%2fwww.experts-exchange.com


Any other thoughts how I can duplicate this issue?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999765
If a user opens a message, then it doesn't go through Exchange, it just redirects, which is a safety measure within OWA. Has someone been browsing from the Exchange server? Look in the event viewer for any IP address conflict - I have seen users try and take a server's address so they can browse locations they shouldn't normally be able to access.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39999944
Thanks. No IP conflicts, also had networking confirm IP/MAC match to the Exchange server. Nobody is browsing the web on the server itself.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000305
I don't mean actively browsing, but has done in the past - that is how malware usually gets on to a workstation. If it is browsing suspicious sites then it could be an add-clicker bot.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40001447
I ran a full AV scan/and MalwareBytes scan on the server and yielded negative results. I shouldn't say all sites are suspicious, most are legitimate, company work-related, but some are considered suspicious.  We're just wondering how the traffic to these websites is showing as originating from the Exchange server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40004459
If no one is browsing from the server then you shouldn't be seeing any traffic coming from it at all. Go through the web services configuration, see if someone has installed a proxy server or something on the machine.

Simon.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40018265
I just did, and this does not appear to be the case.  Would there be any impact to the exchange environment if disabling outbound http/https traffic from all the exchange hub/cas/mb servers?

screenshot
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40018521
If you disable that traffic then you will lose ActiveSync, OWA and Outlook Anywhere.
Can the network team see the traffic in real time? If so, I would arrange some downtime so that you can test a few things - such as shutting down Exchange, IIS and the entire server, to see if the traffic continues.

Simon.
0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 40051711
Thanks for your feedback and advice. Once we test i'll post feedback.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now