microsoft-ds port 445

darijohorvat · ‎09-20-2006

CCM cluster consist of publisher server (CCM 4.1(2)sr1 ) and three subscriber servers. Problem is that subscribers generate large traffic (microsoft-ds, port 445, 200-300 kbps) to publisher server, constantly.

What could be a problem and is this port needed for normal communication between CCM servers?

Where to look for more information?

thanks for any help...

gpulos · ‎09-20-2006

https, aka 445, is used for ccm communication in 4.1x.; this should be OK as the subscribers are constantly communicating with the publisher, especially under specific configurations/circumstances.

i wouldn't say 200-300kpbs is 'a really large amount of traffic' even for a 10mb link; but you could be on to something.

this traffic is most likely the SQL replication between the call managers as well as other ccm management/call processing traffic that flows between servers in the cluster.

why the traffic moves and how much between the servers is fully dependent on the configuration of your ccm environment.

one excellent way to verify if there is any traffic you should not have between the servers is to use a sniffer. http://ethereal.com has an excellent free sniffer tool.

capture the traffic to/from the publisher and you can see exactly what traffic there is.

darijohorvat · ‎09-20-2006

thx for answer, but maybe I was not completely precise. I`m analyzing traffic from netflow, and this 200-300 kbits traffic is generated from subscriber TO publisher by port 445!

There is present "normal" traffic (sql replications, ICCS...) that I didn`t mentioned but whole that traffic is smaller that this one mentioned here.

For example, for the whole day yesterday,subscriber generated 1303MB of traffic, whereas 833MB was "problematic"(atleast for me) traffic (445, microsof-ds).

Is this the way this should be or not?

Aaron Harrison · ‎09-20-2006

Hi

445 isn't SSL as suggested - (SSL being port 443 by default)..

445 is MS NetBIOS-over-TCP stuff... things that show up as that can be anything from Outlook, to RPC calls, to file share access.

If you go into computer management on the publisher then into 'Shared Folders' and have a look in 'Sessions' and 'Open Files' this may give you some clue as to what's being access if it is file data... CDR data is one thing I can think of that would be transferred in this way... this is pulled or pushed (can't remember which) to a UNC share a regular intervals.

Remember that they recommend something like 8MB + 40ms max latency if you split a cluster - maybe this is why?

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

darijohorvat · ‎09-21-2006

Hi

thanks for your answers

I pay attention on cdr, and I don`t think that this is a problem. cdr flat text file is generated and send every 60 sec to publisher, and size of file is max 15 KB. And this is in heavy load conditions.

And yes, I forgot to say, this is noticed after upgrade from CCM 3.3.3 to current version (!?)

fred.s.mollenkopf · ‎09-20-2006

Darijo,

I agree with Aaron on that one. 3 subscibers are going to generate a good deal of CDR which is stored in a flat file on the the Subs. It's then transferred via admin shares to the publisher where the CDR insert service puts them into the database. If you feel this might be malicious though, then make sure you have the CSA installed on the servers in your cluster.

Please rate any helpful posts

Thanks

Fred

gpulos · ‎09-21-2006

my mistake, was thinking 443 while seeing/writing 445.

445 is MS-DS services as mentioned.

(see this link for port #s: http://www.iana.org/assignments/port-numbers)

thank you for the correction.