RE: Odd traffic generated from Exchange Server

From: Ryan Hill (rhillat_private)
Date: Wed Oct 24 2001 - 10:57:19 PDT

  • Next message: Portnoy, Gary: "RE: Odd traffic generated from Exchange Server"

    Anthony,
    
    This traffic is probably Exchange Server to Client RPC.  This traffic is
    normal for clients using Outlook in 'Corporate or Groupware' mode and
    'Microsoft Exchange Server' as their mail provider transport.
    
    Assuming you are supporting this type of connectivity, you need to
    reconfigure Exchange to use a static source port and then configure your PIX
    to allow that source port out of your firewall.  However, I would strongly
    advise against supporting this configuration - it exposes an RPC door to the
    world and would make a tempting target for attack.
    
    "A packet filter (or firewall) denies connection attempts made to any port
    for which you have not explicitly allowed connections. Microsoft Exchange
    Server does use a well-known static port (port 135) to listen for client
    connects to the RPC Endpoint Mapper Service. However, after the client
    connects to this socket, Microsoft Exchange Server then re-assigns the
    client two random ports to use when communicating with the directory and the
    information store. This makes it impossible to allow these through the
    firewall without forcing them to be statically assigned. "
    
    See http://support.microsoft.com/support/kb/articles/Q155/8/31.ASP for more
    details...
    
    Regards,
    
    Ryan Hill, MCSE 
    IT Ninja
    Corporate Information Systems
    Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
    v: 206.792.2276 - f: 206.792.2001
    pgp: 0x17CE70AB
    
    
    > -----Original Message-----
    > From: Caruso, Anthony J. [mailto:acarusoat_private] 
    > Sent: Wednesday, October 24, 2001 9:53 AM
    > To: INCIDENTSat_private
    > Subject: Odd traffic generated from Exchange Server
    > 
    > 
    > Hi All:
    > 
    > Outbound ACLs on my router has started picking up traffic 
    > originating from one of my Exchange boxes:
    > 
    > Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) ->
    > 192.50.50.51(1046)
    > 
    > The source port is usually different and the destination port 
    > oscillates between 1046 and 1171.  The traffic occurs about 
    > every 15 min in quick bursts (incremental source ports), I am 
    > running a sniff now.
    > 
    > Any ideas?
    > 
    > Exchange 5.5 Sp3, NT 4.0SP6a no additional patches.  Internal 
    > RFC 1918 addressed Exchange server.
    > 
    > I am putting out an altogether different fire right now, but 
    > I will post traces as I get more info.
    > 
    > Thanks.
    > -Tony
    > 
    > --------------------------------------------------------------
    > --------------
    > This list is provided by the SecurityFocus ARIS analyzer 
    > service. For more information on this free incident handling, 
    > management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 12:11:25 PDT