Recently I noticed our Exchange server sending out User Datagram Protocol (UDP) messages to external hosts. Our Exchange server is behind a firewall and shouldn't be doing this. I have used NTOP to look at the connections, checked processes etc. and found nothing suspicious. I did some packet capture and found that this seems to occur when a "new mail" notification is sent to a client logged in via our VPN. What you see is the packet for "new mail" sent to the VPN assigned address, followed by one (or more) of the same packet sent to their dial-up assigned IP address.Is there any way I can get this to stop? I know I can block it at the firewall but why is Exchange sending these packets out in the first place? Any help on this would be greatly appreciated.
As you've seen from your capture, new mail notification messages are sent as UDP packets from the Exchange server to the client. During the logon process, the Exchange client tells the Exchange server where to send new mail notification messages. The client will specify its IP address and a UDP port in the 1024-65535 range. Then, when the Exchange server receives a new email message for the client, it sends a UDP packet to the IP address and port registered by that client.
What seems to be happening here is that the client is registering both addresses with the Exchange server: the VPN-assigned address and the ISP-assigned address. I set this up in a lab, took a network capture and confirmed this behavior, as well.
When I contacted Microsoft about this, I found that I was not the first person to bring this to their attention as they have a few support cases on this issue. Unfortunately, they do not have a resolution at this time.
My best advice is to contact Microsoft PSS and work with them to resolve this issue. This may even result in a code fix for you, although I, of course, cannot guarantee that.
This was first published in February 2001