In our environment we restrict not only inbound connections but also outbound connections from Windows servers. While this can be cumbersome to get products like PRTG operational it also sheds light on certain circumstances when viewing the Windows Firewall log.
On the server hosting the Core Server and the Probe we have identified 3 interesting outbound attempts which we have correlated to PRTG (since this the only product installed on Windows 2012R2). Would any of the following be related to a process PRTG does out of the box?
1) We noticed Outbound Request to an SMTP Server on port 25. This was going to 216.58.192.196 which comes back as a google IP. We have configured SMTP to be routed to an internal SMTP server, so I am not sure why this continues, it would make sense if we were using the default SMTP relay option but we are not.
2)Port 80 Web traffic attempting to get to 52.84.243.131 which shows as AWS
3)Port 80 requests from both 23.15.7.161 and 23.15.7.113 which come back as Akami Tech which is a content distribution from what i know of it.
Article Comments
AWS would be our CDN, which is used for the update distribution. We don't know where Akamai and the Google IP come from however :/ Could be a sensor of yours in either case...can you check that?
Aug, 2016 - Permalink
I'll check back with the developers to see if we have any info on that :) However, I'm not sure about the Google IP. Any mailserver or mail address configured that may lead to that address?
Aug, 2016 - Permalink