Anthony, This traffic is probably Exchange Server to Client RPC. This traffic is normal for clients using Outlook in 'Corporate or Groupware' mode and 'Microsoft Exchange Server' as their mail provider transport. Assuming you are supporting this type of connectivity, you need to reconfigure Exchange to use a static source port and then configure your PIX to allow that source port out of your firewall. However, I would strongly advise against supporting this configuration - it exposes an RPC door to the world and would make a tempting target for attack. "A packet filter (or firewall) denies connection attempts made to any port for which you have not explicitly allowed connections. Microsoft Exchange Server does use a well-known static port (port 135) to listen for client connects to the RPC Endpoint Mapper Service. However, after the client connects to this socket, Microsoft Exchange Server then re-assigns the client two random ports to use when communicating with the directory and the information store. This makes it impossible to allow these through the firewall without forcing them to be statically assigned. " See http://support.microsoft.com/support/kb/articles/Q155/8/31.ASP for more details... Regards, Ryan Hill, MCSE IT Ninja Corporate Information Systems Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB > -----Original Message----- > From: Caruso, Anthony J. [mailto:acarusoat_private] > Sent: Wednesday, October 24, 2001 9:53 AM > To: INCIDENTSat_private > Subject: Odd traffic generated from Exchange Server > > > Hi All: > > Outbound ACLs on my router has started picking up traffic > originating from one of my Exchange boxes: > > Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) -> > 192.50.50.51(1046) > > The source port is usually different and the destination port > oscillates between 1046 and 1171. The traffic occurs about > every 15 min in quick bursts (incremental source ports), I am > running a sniff now. > > Any ideas? > > Exchange 5.5 Sp3, NT 4.0SP6a no additional patches. Internal > RFC 1918 addressed Exchange server. > > I am putting out an altogether different fire right now, but > I will post traces as I get more info. > > Thanks. > -Tony > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 12:11:25 PDT