Recently, I have found some strange behavior from my Office Communications Server 2007 R2 Edge server environment. Every 15 minutes, the Edge server sends out three NetBIOS Name Service (NbtNs) queries over port 137 from the Edge server to destinations out on the Internet.
The packets are UDP packets that originate from the System process. That is odd in itself as I would expect any packets like this to originate from the RTCSrv.exe service. They are odd as they are not documented anywhere. They are odd as NetBIOS requests over the Internet just aren’t common or even sensible. These packets are odd for many reasons.
If you dig down into the packets in the frame details, it shows
QuestionType: Node Status Request
Of course the packets are blocked by the firewall as we know that they are not supposed to be used by OCS. There doesn’t appear to be any impact on functionality or performance.
So, why are these packets being sent? I am glad you asked that question.
I checked out each IP address. Some are the addresses of systems at federated partners. Some are addresses of systems at PIC providers. Some appear to be the client systems that are connecting through PIC providers.
After several support calls and lots of research from Microsoft’s side, they basically said that the Edge server appears to be trying to verify the status of the federated user and attempts to use NetBIOS as one of the ways to make that connection. Of course, even if it weren’t blocked by the firewall, it would still fail. Other methods would then be used to check the presence/status of the federated connection.
Summary: They are odd packets that cause no harm, and they really don’t provide any benefit either. They are safe to ignore, especially if your firewall blocks them.