I am not too sure if I can agree with you at this moment, David. It is indeed weird that traffic is only heading towards the HTTPS port.
Have you considered running a netmon service on that source machine to see which application is actually sending out requests for HTTPS? You might be able to nail the culprit there. Good luck.
