locked
Cloudmark packet blocking Firewall RRS feed

  • Question

  • FPE 2010 for Exchange seems to receive constant packets from a Cloudmark server (at 208.83.136.34) going (inbound) to random ports on my server. Since Cloudmark is legit, I wanted to allow these packets by configuring the Windows firewall to allow ANY packets of ANY type from IP 208.83.136.34 to my server. Even when I did this, Event viewer still shows the packets as being rejected. So my question is: why, and what are these packets for?

    The Windows Filtering Platform has blocked a packet.

    Application Information:
     Process ID:  0
     Application Name: -

    Network Information:
     Direction:  Inbound
     Source Address:  208.83.136.34
     Source Port:  443
     Destination Address: myIP
     Destination Port:  54996 (changes every time)
     Protocol:  6

    Filter Information:
     Filter Run-Time ID: 80080
     Layer Name:  Transport
     Layer Run-Time ID: 13

    The firewall rule I created was Inboud, Any protocol type, Any port, from the IP above to the server IP (the Cloudmark IP is in the Scope tab under Remote IP Address. 

    • Edited by Fredzzzz Wednesday, July 28, 2010 6:52 PM privacy
    Wednesday, July 28, 2010 6:51 PM

All replies

  • Hi,

     

    Thank you for the post.

     

    According to the description, this is related to Windows 2008 networking issue. The traffic is blocked by windows Firewall. I suggest you post this in our Networking Forum: http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2networking/threads

     

    Regards,


    Nick Gu - MSFT
    Friday, July 30, 2010 5:17 AM
    Moderator
  • Anyone else got a good answer? This has clearly to do with Forefront not with Windows 2008, as the Firewall has been well configured (see above).
    Saturday, July 31, 2010 8:06 AM

  • Hello

    I have noticed similar behavior in my environment.
    To me it appears that the Cloudmark host and my Windows system closes the TCP session differently.
    Cloudmark sends "Yes I'm going to close" to a already closed  port on the Windows system.
    The packet from Cloudmark is dropped by my Windows system and also logged by Windows Firewall.

    By using Windows Firewall the logging is much more fine grained .  A minor glitch in Forefronts update process results in a log entry in Windows Firewall.

    You can verify this in your environment by some means of packet capture.
    Look for the FIN and RST packets and compare the timestamps of those to the entries in your Windows Firewall.

    /Regards Paul M

     

    Tuesday, August 10, 2010 9:01 AM