Massive traffic between Exchange Servers 2019

Copper Contributor

Hello all,


We are in a large company with over 50 Exchange Servers (on-premise not on cloud). My site have two Exchange 2019 Servers and we are using a satellite (25mb/s 600ms Latence) link to connect with the rest of the Exchange Servers.


Since over 6 months ago, we started to see massive traffic between our Exchange Servers and the rest of the company Exchange Server (Inbout around 12Gb/day and Outbound 75Gb/day). The traffic start at 18h00 and stop around 8h00 the day after. 



This traffic is killing our satellite link, we have a ticket opened with microsoft for over 6 months, but no clue of the reason of this.


We have done a message tracking for a day and the maximum size is 3Gb of inbound and outbound and mostly internal email (not going througt the satellite link). So our emails are not the cause of this issue.


If anyone can relate or give us a potential solution.




2 Replies



First question would be if you can identify the ports the traffic is using which might give a head-start on identifying what is going on.

@Neill Tinlin 


Thank you for you reply, Microsoft Engineers ask me to do an netsh trace with our two Exchange servers.


Btw they are on core edition and I wasnt able to do the scenario=netconnection since it is not available on core edition.



This is what they answer back:

I  found major traffics were seen on below TCP ports:
TCP port,444, 389, 443, 3268

There were around  :

**22348 packets for tcp port 389

**47369 packets for tcp port 3268

**34073 packets for tcp port  443
**30537  packets for tcp port 444

**26094 packets for tcp port 6068
**369    Packets for tcp port 25

**7472  Packets for port 42906 and 6064


Conclusion :

>> Tcp port 389 is being used by LDAP and 3268 is being used by Microsoft global catalog (LDAP), so traffic on these ports are  fine because these are being used by active directory.

>>However we see huge traffic on tcp port 443 , 6068 and 444, need to find which application on exchange server is using these ports.


Check tasklist /svc at the time of  issue to figure out which applications has maximum handles and check the ports that are being used by those applications.


But when I analyse the content that they send me, most of the communication are between local computers or servers on our site, so they don't use the satellite link.


The only thing that we have is a Veeam agent installed on that server. We also use Enterprise Vault for archiving our Email (older then 6 months).