Outlook Client Version for Exchange 2010

As I mentioned in a previous post, Microsoft has been trying to kill off public folders for quite some time.  If you've decided to follow Microsoft's lead and remove all public folders from your Exchange Organization then you'll need to make sure that no existing clients are still relying on public folders for Free/Busy information or the Offline Address Book.  The last version on Outlook that required public folder access for that content was Outlook 2003.  Even if you think that everyone has been upgraded to Outlook 2007 or newer, you might be surprised to find a few rogue elements in your midst.  The easiest way to determine what clients are connecting to your Exchange 2010 servers is to check the RPC Client Access logs on your CAS servers.

To make this task as simple as possible, I recommend using the completely awesome Log Parser tool from Microsoft.  If you have Splunk or some other log gathering tool with a query engine you could use that too.  But for a quick and dirty look, Log Parser is the way to go.  For simplicity sake, I copied the log files off each CAS server to a log folder with a subfolder for each server.  I also added Log Parser to the PATH variable to make it easier to call the program from anywhere.  One you have that set up, you can browse to the folder with the  log files from a command prompt.  

Then run this Log Parser command:

Log Parser basically uses SQL query language to interrogate logs.  The first portion of the statement selects distinct records from the query, meaning it will only pull records where all the fields are unique.  The EXTRACT_SUFFIX cuts all the pre-amble off the client-name field - unless you want to see the full distinguished name.  The WHERE clause at the end looks for client versions that start with 11.  For reference, the version number of Outlook 2003 starts with 11. Any version that starts with 11 or lower will still need public folders for FB and OAB.  In this particular case I was looking for Outlook 2003 clients, but you could easily add an OR statement to the WHERE clause and look for client versions starting with 10 or 9 or whatever you would like.  The client-software-version field is a text field, so numerical comparison operators will not work.  You could take a substring and cast it, if you're feeling saucy.  Me, I like keeping it simple and using OR statements.  The -nSKipLines tells logparser to skip the first four lines of the log (which are a header), and -i tells it what the format of the input file it.  The last piece -rtp:-1 tells logparser to give the full output without any table breaks.

A word of caution on the client-ip field.  If you are running your CAS servers behind a load-balancer running SNAT, then you will likely be seeing the NAT'd IP address from the load-balancer and not the actual client IP.  That can make locating the offending client a bit more difficult.  You can either ask your network team to comb the logs and try and find the actual client IP, or you could alter the configuration of the RPC client access log to include the xff header (X-Forwarded-For).  That's beyond the scope of this post, but if you figure that out give me a holla.

I did find a few clients using Outlook 2003.  In addition, I discovered that the BlackBerry and Good servers that use the CDO (any version) are going to appear as 6.0.8244.0 or 6.5.8244.0 depending on which version of CDO is installed.  These services should not need public folders either, but reference the documentation from the vendor to be sure.

Update: 
I was toying around with the Log Parser query a bit today and managed to get an even better query together.  Here it is:

References:

Log Parser - http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx

X-Forwarded-For Header - http://en.wikipedia.org/wiki/X-Forwarded-For

Log Parser Tutorial - http://www.msexchange.org/articles-tutorials/exchange-server-2003/tools/Using-Logparser-Utility-Analyze-ExchangeIIS-Logs.html