IIS Logs of CAS server

If you have logs in the IIS logs of  CAS server, relative to an exchange mailbox - does that mean the user has accessed their mailbox remotely, i.e. OWA, Outlook Anywhere, ActiveSync etc.

If you have say a citrix access gateway to login to your private network and access email - would such activity also be logged in IIS logs on the CAS server, or would they not be included in the IIS logs?

I am trying to determine if a user viewed their email when not directly logged into our private network (either locally or via a VPN/Citrix type system), and there are some logs in the IIS logs on the CAS server, but I dont want this to be a false psoitive if internal activity would also be included in the IIS logs.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tigermattCommented:
If you have logs in the IIS logs of  CAS server, relative to an exchange mailbox - does that mean the user has accessed their mailbox remotely, i.e. OWA, Outlook Anywhere, ActiveSync etc.
Not necessarily. Internal Outlook clients communicate with the Autodiscover service (assuming Exchange 2007 and up) to discover various sundry Exchange configuration details, and that traffic will be logged in the IIS logs.

If you have say a citrix access gateway to login to your private network and access email - would such activity also be logged in IIS logs on the CAS server, or would they not be included in the IIS logs?
If they accessed the CAS to read mail, then yes. If they connected a VPN and subsequently used MAPI to communicate over the VPN, then no, as MAPI traffic is not web traffic.

there are some logs in the IIS logs on the CAS server, but I dont want this to be a false psoitive if internal activity would also be included in the IIS logs
It could be an internal workstation left running with Outlook open simply polling Autodiscover.

The IIS logs should give you further details of the URLs accessed, the username and the source IP address of the client machine they used (which might be a VPN concentrator, of course) which should help you narrow this down further than a shot in the dark.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
So source IP could indicate an external ip if used for example on a home broadband connection
tigermattCommented:
So source IP could indicate an external ip if used for example on a home broadband connection
That would be correct, yes.

Unless you have a reverse proxy or similar function built into a firewall which intercepts and terminates SSL sessions at the gateway, then re-initiates them to Exchange; but you would know if this applied to you.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

pma111Author Commented:
Out of interest, if you connect your laptop to the internet, and your outlook is configured with outlook anywhere, would the connection via outlook anywhere also lead to IIS logs around autodiscover, - even though you arent directly connected to the private network.
pma111Author Commented:
and does CAS support outlook anywhere type connections, i.e. would connecting to your mailbox via outlook anywhere also create logs in the IIS logs of the CAS server?
tigermattCommented:
would the connection via outlook anywhere also lead to IIS logs around autodiscover, - even though you arent directly connected to the private network
Assuming Autodiscover is configured properly for Outlook to "discover" it outside the network, then yes. It is a crucial component regardless of the location of the laptop.

If either the autodiscover.domain.com host record exists and points to the CAS server/array, or an _autodiscover._tcp.domain.com SRV record exists similarly (the latter is less common) then I would expect to see entries in the logs.

does CAS support outlook anywhere type connections, i.e. would connecting to your mailbox via outlook anywhere also create logs in the IIS logs of the CAS server?
Yes, Outlook Anywhere traffic, when Outlook is away from the office and has no alternate route to send data to Exchange (e.g. a VPN) is handled by the RPC over HTTPS proxy on the CAS server(s).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.