Unable to get exchange logs

Reply
Highlighted
L2 Linker

Unable to get exchange logs

Hi,

I have a PA500 on PANOS 4.1.9

I'm doing some testing with Exchange, managing to get logs to identify iphones, ipads and android devices without a Captive Portal.

Installed USER-ID agent version 5.0.2-2 on a DC, done auto discovery, removed all DCs and left only Exchange Server. It shows up as "connected".

After that, i've tried syncing mails via WI-FI on iphone, android and also windows phone but no way of getting some IP to USER mapping.

Anyboy was able to get to work?

What am i doing wrong?

Thanks

Sergio

L3 Networker

I hope you get an answer to this, I've been trying ways to get this to work for all the Apple/Android devices and even laptops with BYOD.  So far no luck.

Highlighted
L4 Transporter

I would be interested as well. I've never seen it work on our setup. The last time I looked at it, it showed the user authenticated with the Exchange server IP address. Not quite the desired result. :smileywink:

Highlighted
L4 Transporter

I tested a little bit today, and here's what I experienced:

  • I created a security policy and captive portal policy that would exclude our BOYD devices from the captive portal page.
  • The UserID Agent was pointed at the Exchange 2010 CAS server.
  • The native ActiveSync client client doesn't appear to generate the right kind of logs, but if I went to the Outlook Web App page and logged in, I would see my account show up in the UserID Agent.
Highlighted
L3 Networker

Hello, I may be a little late but this should work for both OWA and Active sync connections, The most common reason for the Exchange mappings not appearing is that logon events are not being audited on the Client Access Server. The user ID agent uses events 4624 or 4648 to collect user to IP mapping info. If your Exchange Server is not a domain controller the auditing for such events it likely to not configured.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!