Solved

High internet usage caused by Outlook going externally to internal Exchange server

Posted on 2015-01-06
10
151 Views
Last Modified: 2015-01-11
We have an Exchange 2007 server and Outlook 2013 clients running on our Server 2008 / Windows 7 network.

All internet access is routed externally through a remote proxy server (for filtering, control, reporting etc).

When looking at the usage reports for traffic going through this external proxy server, I am often seeing high usage for various users, and the urls reported as being visited are 'mail.<our domain>.com' and 'autodiscover.<our domain>.com'

It's not always for the same users, and it's not happening all the time.

We do have the 'Microsoft Exchange Proxy Settings' in Outlook set on all PCs to use 'mail.<our domain>.com' but my understanding was that this would only be used if a local connection was not available - we set it up through GP so that any laptops will connect when off-site.

Any idea why Outlook is sending traffic externally (but only some of the time) to connect to the internal Exchange server?
0
Comment
Question by:Michael986
  • 5
  • 3
  • 2
10 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40534596
my understanding was that this would only be used if a local connection was not available - we set it up through GP so that any laptops will connect when off-site.

Configure Split DNS

You are correct but, if you have not added the autodiscover.domain.com and mail.domain.com to an internal DNS Zone for your servers they will always go out and back around for services. Split DNS needs to be configured and the appropriate host records need to be inplace pointing to the internal server IP addresses.

Will.
0
 

Author Comment

by:Michael986
ID: 40534609
We have both mail. and autodiscover. pointing to the internal IP of the Exchange server on our internal DNS server, which all PCs are using.

And the problem isn't a permanent issue - I've just noticed it happening a few times for different users over the last few weeks - most of the time there's no record of Outlook traffic going externally.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40534620
Is it possible they are connected to a shared guest wifi connection or VPN connect or something like that? When this happens what i would do is right click on the Outlook client and select Autodiscover test and also check the connection status as well. See what info you can grab from there.

If that does not help, what you might want to do is install something like wireshark on the local machine and do a trace to see where the packets are going. Maybe they are being routed to a different destination or maybe their DNS settings have been changed (8.8.8.8). or something of that nature.

Aside from that you will need to be infront of the issue in order to troubleshoot it.

Will.
0
 

Author Comment

by:Michael986
ID: 40534641
The PCs don't have wireless access (Ethernet only) and they don't have any VPNs set up - the only connection they have is to the LAN.

I'd like to be able to troubleshoot the problem as it's happening, but the only indication I'm getting is from the Proxy Server reports which are sent at the end of every day. And as it occurs only periodically, and on different PCs, it's not going to be easy to pre-empt it to perform a trace.

I'll have a look at the proxy server settings to see if that can alert me if there's access to a specific site (ie mail.<our domain>.com) - but would also be interested to hear any other theories about what may be happening.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40534676
What i would also recommend is seeing if you can get a source IP from a client that is actually having this experience. Maybe it is related to a bad or misconfigured switch in your environment. This one will be difficult until you have more information at hand.

As stated before not having a Split DNS would be the first reason why this would happen. As you have said you have this properly configured the only other thing i can think of with the info provided is made a wrong DNS entry, routing issue, or some sort of DNS caching from another public network.

Also might be a long shot but also checking the local host file as well.

These are some of the thing you can check once you have the machine in front of you.

Will.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40535408
If you are using a proxy server, then do you have the correct exclusions in the proxy configuration on the clients to stop them from routing internal traffic out? I see incorrect proxy configuration a lot, which causes problems because of the high use of web services by Outlook/Exchange.

Simon.
0
 

Author Comment

by:Michael986
ID: 40536770
Simon,

There is no specific routing for mail.<domain>.com or autodiscover.<domain>.com in the proxy config - but there are DNS entries which point these to the internal IP of the Exchange server. Shouldn't that suffice?

I could add a route to the Proxy server to redirect these two subdomains to the internal IP address, but I'm unsure as to why I need to do that - ie why is Outlook trying to connect externally when DNS tells it that the subdomain is internal? (in fact, why is it trying to connect to these subdomains at all?)
0
 

Author Comment

by:Michael986
ID: 40537117
Additional info :-

I've set up an alert on the proxy to flag when any user 'visits' either of the two subdomains.

What I've found is that the majority of users are triggering this alert, but it seems to tie in with users that have configured Outlook with more than one mailbox (which most do). As we're using Outlook 2013, some have extra mailboxes added as a separate account, others have them added as 'additional mailboxes' on the default account - both methods cause the alert to be triggered.

I can't see any evidence of an alert being caused by a PC with just the default mailbox in Outlook.

EDIT : Have now noted that I DO get alerts from PCs with just the default mailbox - they just seem to be less frequent than for PCs with multiple mailboxes.

Several PCs were causing a high number of alerts - on checking, I found that they still had additional accounts / mailboxes for users that had been deleted from AD. Once these entries were removed from Outlook, the number of alerts went back to a more 'normal' level.

However, the question still stands as to why these additional mailboxes / extra accounts are causing Outlook to check externally for mail.<domain>.com and autodiscover.<domain>.com
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40537396
Local DNS entries don't matter when it comes to the proxy.
You need to put an exception in the proxy configuration on the clients so that they don't even attempt to send the traffic through the proxy. You shouldn't be changing the configuration of the proxy server, this is a client side change that should be made.

Clients will query for Autodiscover frequently. If they cannot get the information from the domain (because the proxy is getting in the way) then they will attempt to go through the other methods available to Autodiscover. You need to get the proxy configuration corrected.

Simon.
0
 

Author Closing Comment

by:Michael986
ID: 40543521
The solution was to tell the proxy server to allow mail.<domain>.com and autodiscover.<domain>.com to go 'direct' - once this PAC file was downloaded to the clients, requests to these subdomains were routed using local the DNS settings - and therefore to the local Exchange server.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
If you don't know how to downgrade, my instructions below should be helpful.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now