We're running Exchange 2010 SP1 w/ Rollup 1 on Windows 2008 R2. We got some reports from our internal security folks that our 8 Exchange servers are trying to get out through our perimeter firewall. It's being rejected which is good, but why? I ran a Netmon (3.4) and noticed the following in the capture.....looks like Akamai addresses. Is this an OS thing, Exchange thing? See below for netmon trace. Any ideas here? What is Powershell doing or svchost.exe? We are not running Exchange Hosted Services, strictly internal email only. All the 24.x.x.x addresses are the external ones I refer to. Our internal network is 10.x.x.x 76294 2:45:26 PM 12/6/10 490.0643252 powershell.exe SVR-MB04 24.143.206.19 TCP TCP:Flags=......S., SrcPort=42282, DstPort=HTTP(80), PayloadLen=0, Seq=76298579, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:708, IPv4:707} 76295 2:45:26 PM 12/6/10 490.0646872 powershell.exe 24.143.206.19 SRV-MB04 TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=42282, PayloadLen=0, Seq=0, Ack=76298580, Win=8192 {TCP:708, IPv4:707} 81766 2:46:00 PM 12/6/10 524.1692033 svchost.exe SVR-MB04 24.143.206.9 TCP TCP:Flags=......S., SrcPort=42314, DstPort=HTTP(80), PayloadLen=0, Seq=2586803921, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:826, IPv4:825} 81767 2:46:00 PM 12/6/10 524.1695179 svchost.exe 24.143.206.9 SVR-MB04 TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=42314, PayloadLen=0, Seq=0, Ack=2586803922, Win=8192 {TCP:826, IPv4:825} Any help would be great, I'm stuck with this one.

Who own this “24.143.206.19”? What kind of applications are on the external machine? Please verify if there’s any malfunction on the exchange servers currently Please check if there’s any warning or error event in the application log on the exchange servers that send these packages Please run ExBPA against the exchange servers for health check James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It looks like it's Symantec Mail doing this and those are the Live Update Akamai servers. I think we go this under control now. Thanks