Hi,

we're frequently seeing alerts like "The number of TCP connections per minute from a specific source IP address exceeded the configured limit". Since our users connect to the proxy from Remote Desktop Servers (Citrix) I've already added those IP's to the Flood mitigation exceptions list and upped the threshold for exceptions.

After investigating a few of these alerts I'm seeing an extremely large amount (over 10.000 per minute) of SSL connections to hosts in the drip.trouter.io domain (ex. 193-149-88-182.drip.trouter.io). This domain seems to belong to Microsoft, does anyone know what is triggering these connections and why? It seems like an unnecessary strain on the TMG servers.

Best regards,

Enrico Klein 

• Changed type Quan GuMicrosoft contingent staff, Moderator Friday, November 15, 2013 6:04 AM

hi,

please block this domain on your TMG and check if there is the error information?

Best Regards

Quan Gu

Hi Quan Gu,

thank you for your reply. I must admit that I'm not very fond of blocking destinations without knowing what they are used for. Since we have thousands of users connecting through our TMG's I cannot foresee the consequences. Especially since the domain is owned by Microsoft Corporation.

Does anyone have any clue as to what this traffic is? TMG categorizes the domain as 'Network Information'

Best regards,

Enrico