Ask the Expert

Exchange server sending UDP messages to external hosts, but it's behind a firewall and shouldn't do

Recently I noticed our Exchange server sending out User Datagram Protocol (UDP) messages to external hosts. Our Exchange server is behind a firewall and shouldn't be doing this. I have used NTOP to look at the connections, checked processes etc. and found nothing suspicious. I did some packet capture and found that this seems to occur when a "new mail" notification is sent to a client logged in via our VPN. What you see is the packet for "new mail" sent to the VPN assigned address, followed by one (or more) of the same packet sent to their dial-up assigned IP address.

Is there any way I can get this to stop? I know I can block it at the firewall but why is Exchange sending these packets out in the first place? Any help on this would be greatly appreciated.

    Requires Free Membership to View

As you've seen from your capture, new mail notification messages are sent as UDP packets from the Exchange server to the client. During the logon process, the Exchange client tells the Exchange server where to send new mail notification messages. The client will specify its IP address and a UDP port in the 1024-65535 range. Then, when the Exchange server receives a new email message for the client, it sends a UDP packet to the IP address and port registered by that client.

What seems to be happening here is that the client is registering both addresses with the Exchange server: the VPN-assigned address and the ISP-assigned address. I set this up in a lab, took a network capture and confirmed this behavior, as well.

When I contacted Microsoft about this, I found that I was not the first person to bring this to their attention as they have a few support cases on this issue. Unfortunately, they do not have a resolution at this time.

My best advice is to contact Microsoft PSS and work with them to resolve this issue. This may even result in a code fix for you, although I, of course, cannot guarantee that.

This was first published in February 2001

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: