RE: Odd traffic generated from Exchange Server

[Ryan Hill <rhill () xypoint com>]

Anthony,

This traffic is probably Exchange Server to Client RPC.  This traffic is
normal for clients using Outlook in 'Corporate or Groupware' mode and
'Microsoft Exchange Server' as their mail provider transport.

Assuming you are supporting this type of connectivity, you need to
reconfigure Exchange to use a static source port and then configure your PIX
to allow that source port out of your firewall.  However, I would strongly
advise against supporting this configuration - it exposes an RPC door to the
world and would make a tempting target for attack.

"A packet filter (or firewall) denies connection attempts made to any port
for which you have not explicitly allowed connections. Microsoft Exchange
Server does use a well-known static port (port 135) to listen for client
connects to the RPC Endpoint Mapper Service. However, after the client
connects to this socket, Microsoft Exchange Server then re-assigns the
client two random ports to use when communicating with the directory and the
information store. This makes it impossible to allow these through the
firewall without forcing them to be statically assigned. "

See http://support.microsoft.com/support/kb/articles/Q155/8/31.ASP for more
details...

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


> -----Original Message-----
> From: Caruso, Anthony J. [mailto:acaruso () fna com] 
> Sent: Wednesday, October 24, 2001 9:53 AM
> To: INCIDENTS () securityfocus com
> Subject: Odd traffic generated from Exchange Server
>
>
> Hi All:
>
> Outbound ACLs on my router has started picking up traffic 
> originating from one of my Exchange boxes:
>
> Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) ->
> 192.50.50.51(1046)
>
> The source port is usually different and the destination port 
> oscillates between 1046 and 1171.  The traffic occurs about 
> every 15 min in quick bursts (incremental source ports), I am 
> running a sniff now.
>
> Any ideas?
>
> Exchange 5.5 Sp3, NT 4.0SP6a no additional patches.  Internal 
> RFC 1918 addressed Exchange server.
>
> I am putting out an altogether different fire right now, but 
> I will post traces as I get more info.
>
> Thanks.
> -Tony
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com