Outbound connections from Exchange server

Hello Experts,

In looking at my firewall logs recently, I have noticed a number of connections that I am puzzled about.  We have an Exchange 2010 server behind our firewall.  We also have an email gateway behind our firewall, so all incoming email is directed to the gateway device on port 25 and then forwarded to the Exchange server when appropriate.  On the firewall, I have outbound port 25 enabled from our Exchange server to any, and inbound port 443 enabled to the Exchange server to allow access to OWA.  We have a relatively large number of devices (smart phones, tablets, etc, as well as persons with laptops connecting Outlook to Exchange via https) that connect to the mailboxes on the server.  In looking at the firewall logs for all blocked outbound connections, I am seeing a relatively large number of connection attempts from our Exchange server to outside addresses.  The source port is always 443, and the destination port varies.  When I investigate the destination addresses, most of them are typically servers associated with wireless carriers (ie: servers in the myvzw.com domain).  I am thinking that these connections are somehow related to the connections made to the Exchange server from the devices on wireless networks, but I don't recall seeing these in the logs before and am trying to get a read on what they may be.  Please let me know if you have any information on what might be causing these.  I am not seeing any other odd behavior and the public IP of our Exchange server is not bl listed.  Thanks in advance for thoughts on what might be causing this.

rdillionSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
Best practice to publishing exchange services for internet.

1. NAT Local CAS server IP with public IP and open 443 port from outside. If it is UTM enabled firewall so you can apply IPS, Antivirus features but these are subject to test as sometimes these features block traffic. On the other hand when a client/device connect to CAS server so wireless carrier IPs or ISP's public IP will make connection to your CAS server which is normal so no need to worry about that as they are connecting with 443 port only.

2. Your e-mails will be delivered on your e-mail gateway it can be a third party SMTP appliance or Exchange Edge server, both should be NATTED with public IP and open incoming 25 port on firewall, so they can receive mails from outside. Don't get confused by MX records as these gateways can also be MX records for your domain but yes inbound 25 port should be opened from firewall to these gateways.

3. For outgoing mail configure send connector in Exchange server with Smart host if you are using third party E-mail gateway (Exchange HT server and E-mail gateway must communicate with each other on port 25). E-mail gateway should have internet access so it can send mails to public domains. You can place e-mail gateway in DMZ network.  

These are best practices hope your env. is configured like this or you may need to check if anything is missing. Let me in case of any query.
Simon Butler (Sembee)ConsultantCommented:
Are you sure that those are outbound connections and not inbound?
ActiveSync and Outlook Anywhere both use port 443. There is no communication out to the client, it is all initiated by the client in to the Exchange server. Firewalls can get confused with the way that Exchange does things - ActiveSync is basically a prolonged HTTPS session which the traffic flows through for example. Therefore you can see some odd things within logs.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rdillionSystems AdministratorAuthor Commented:
Hello guys and thanks very much for your thoughts on this.

Amit, yes, my environment is configured as outlined in the best practices you noted.  

Simon, I believe you may be on to something.  I set up a rule on our firewall specifically to log traffic from our Exchange server outbound on port 443, and nothing of any consequence was logged after having that in place for a number of days.  I do continue to see the log entries noted in my original post, but given the logging noted above, they do not appear to be originating form our Exchange server.  I am continuing my investigation at this end, but will go ahead and close the question.

Thanks again guys,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.