I'm trying to explain some activity we uncovered while reviewing firewall logs.
Over the course of two days, we saw multiple connections to our KServer on ports 80 and 443. The requests came about once a minute for over a day, on ports 80 and 443 from two public IPs which both belong to a single client of ours. One site was their headquarters where there are approx. 15 agents on servers and workstations, and the second site is a satellite office with only 3 workstations.
As far as I know, 80 and 443 are only used for the Kaseya web interface. Our KServer has a single public IP which is not used for any other services. We see a ton of traffic from our managed clients on this IP (our KServer) but it's mostly on 5721, so the HTTP(S) traffic stood out to me. As far as I knew, it's not used for normal agent operation.
Can anyone suggest a reason we might've seen that kind of traffic, or give me some fresh ideas of what to look at? I haven't been able to narrow anything down to individual agents since NAT is in play and I don't have detailed firewall logs. I don't see any unusual alerts, etc, from any managed computers at either site, however.
Thanks in advance,
Sorry, just to clarify: I don't have detailed firewall logs from the client's side...
IIRC: port 5721 is the default port that the agents check into.
This can be verified by going to System |> Server Management > Configure > ~2/3 of the way down look for "Specify port Agents check into server with:"Strike all of that, I misunderstood your question.
Maybe you have a client setup to use remote access/portal through Kaseya?
Install wireshark on one of the offending client's computers and look for port 80/443 traffic to/from your KServer.
Then pick one of the offending packets, right click and choose "Follow TCP Stream" to look at the raw http traffic. You'll be able to see what it's requesting on your KServer, and what your KServer is sending back.