Hi all, I've been monitoring my syslog output for a while and I've noticed periods of time when there are tons of messages coming through, approximately 20 per second, all saying the same thing:

Virtual Server: 217.36.xxx.xxx:443 -> 192.168.222.3:443 (TCP)

Now the 217.36.xxx.xxx is my external static IP address and the 192.168.222.3 is my internal MS Exchange server.

These bout of messages last for minutes at a time and the network generally seems to get slower during that time.

Is this normal?




[/img]

It looks like syslog messages for port forwarding - port 443 would be your exchange server's webmail interface.

Yes that is correct. But why so many do you think?

It seems to occur about 20 times a second for periods of about 1 to 3 minutes at a time. It does also seem to correspond with when an iPhone checks for mail. Is this normal?

The exchange server is hardly used that much if I am honest so I'm surprised by that amount of traffic.

If you look in the Diagnostics - NAT Session table on the router, you should see where that traffic is coming from, it could be that someone is attempting to log into it using brute force? With that many attempts, that's quite likely.

gcp wrote: It seems to occur about 20 times a second for periods of about 1 to 3 minutes at a time. It does also seem to correspond with when an iPhone checks for mail. Is this normal?

Yes that's quite normal. Exchange's ActiveSync technology works completely over HTTP/HTTPS and it is multiple requests to sync and transfer items back/forth so if you have the iPhone set to "Push" you'll be seeing this each time there is a new piece of mail or a calendar/contact item is altered etc.

If you look at the HTTP server log file on the Exchange server you should be able to see more information and you'll see all the different VERBs being sent from the mobile device (GET/POST/SUBSCRIBE/PROPFIND etc)