For a small business setup, I have a Windows 2008 server acting as AD domain controller and Exchange 2007 server. I've recently begun to look further into all network activity and notice something unusual to me involving this server. There is a persistent connection between it and a Verizon wireless IP address (22.214.171.124, 126.96.36.199, 188.8.131.52 to name a few) always geolocated in Las Vegas. This connection uses port 443 on my server. The service name being used is "SYSTEM". This connection is using the same public IP address as our MX record. I do use Exchange active-sync for a few users. Any suggestions as to further identify EXACTLY what this IP address is doing with my server? Thanks.
asked 03 Apr '13, 09:28
Well, if you want to know EXACTLY what these IP's are doing on your server, you can use the private key of the server to decrypt the traffic in Wireshark and see which HTTPS requests they are sending. My guess would indeed be that it is Exchange active-sync traffic.
answered 03 Apr '13, 10:26