Forum Discussion

scarnes_82101's avatar
scarnes_82101
Icon for Nimbostratus rankNimbostratus
Apr 07, 2011

Exchange 2010 CAS Array Logging

My organization is planning to implement an RPC Client Access Pool on our F5 LTMs to support the new architecture employed by Exchange 2010 with regard to the CAS array. My question is in regards to logging client IP addresses for each client that connects through the LTMs for RPC access. What options exist on the LTMs to log the client IP addresses for each email client that connects through our LTMs for Exchange client access? Ideally we would be able to log this perhaps to a file outside of the LTM itself so that support staff could use this information foir client access troubleshooting.
microsoft
partner

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 07, 2011
    Hi Scarnes,

     

     

    You can use an iRule to log client IP's. If you're on 10.1.0, you can use High Speed Logging to send messages to a remote syslog server(s):

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/HSL__send.html

     

     

    For 9.4.0 to 10.0.x, you can use log < remote IP > to send messages to a remote syslog server. For any version you can use the log command to log locally:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/log

     

     

    Aaron
  • Joel_Moses's avatar
    Joel_Moses
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2011
    Be careful to avoid burying your troubleshooters in data; Outlook will typically initiate between 4-12 RPC sessions to the CAS server per Outlook client. These connections are related to each other but the F5 will have really no way of knowing that and will log the connection details for each independent TCP session. I'm not sure what real value the information would have, as you'll see the logged-in usernames and remote workstation name (all part of the RPC and Kerberos/NTLM transactions) in your Exchange logging just fine. From those two pieces of information, it's just a quick jump to the true source IP.

     

     

    We've got over 60,000 users connecting through one CAS array (we have multiple arrays) -- and had plenty of problems -- but under no situation would I have needed that data from the F5.

     

     

    Just my two cents.