We recently moved all our mailboxes to a pair of clustered Exchange Server 2003 servers. The mailbox servers are behind an internal firewall, which we've opened for the IP address of the virtual Exchange instance. Our firewall logs show a lot of dropped UDP packets from the physical IP address of the cluster nodes. What's the problem?
The Exchange Information Store is generating these UDP packets, which are new mail notification packets intended for Outlook clients. When you use Outlook 98 or later with any version of Exchange in conventional Messaging API (MAPI) Online mode, the Information Store generates a UDP packet on a randomly-chosen port number between 1025 and 65535. The packet comes from the Information Store process, which runs on a physical server—not the cluster virtual sever—thus, the packet has the IP address of the physical node. This UDP packet goes to the client; when the packet arrives, Outlook retrieves the new messages. Because the port number is randomly chosen, there's no good way to pass this traffic through the firewall. However, Outlook 2003 in Cached Exchange Mode works without these notifications, and you can configure other versions of Outlook to use polling. (See the Microsoft article "The Outlook Find feature and the new mail notifications do not work after you apply Windows XP Service Pack" at http://support.Microsoft.com/?kbid=2839226 for instructions about enabling polling.)
Also be aware that Windows XP Service Pack 2's (SP2's) Windows Firewall can block these notification packets because they're unsolicited. Windows Firewall generally allows UDP packets that come in response to a UDP connection from the local machine to a remote machine but doesn't recognize that the UDP packets in question are in response to the TCP connection from Outlook to the Exchange server. To fix this particular problem, add outlook.exe as an allowed application in Windows Firewall.