none
ClientInfoString AND ACTION=viaproxy. wHat it means? RRS feed

  • Question

  •   ClientInfoString AND ACTION=viaproxy. wHat it means?

    I found several logs form EXTERNAL clients connecting to a mailbox

    Sometimes in the logs we found the   "ClientInfoString" and the word "ACTION=viaproxy"

    What it means?

    via what proxy?

    MS Exchange Online/office365

    Tuesday, December 10, 2019 4:17 PM

All replies

  • Hi,

    Are you checking the mailbox audit logs?

    ClientInfoString shows the information about the email client that was used to perform the operation. For example, Client=OWA indicates a user accesses the mailbox from OWA.

    Based on my knowledge, ACTION=viaproxy should mean the request from the client may be proxied.

    For reference: Entries in the mailbox audit log

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, December 11, 2019 6:48 AM
    Moderator
  • Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, December 16, 2019 7:46 AM
    Moderator
  • Lydia,

    We have witnessed the same thing in our logs. We have many users who access OWA, however we can't get a clear explanation of what the ViaProxy tag means. Is this a reverse proxy feature of O365 for slower clients? Is this an end-user web browser proxy? Is this an anonymizer proxy? Please let me know if there can be further clarification on this log entry type.

    Thanks!

    Thursday, December 19, 2019 4:26 PM
  • Lydia,

    We have witnessed the same thing in our logs. We have many users who access OWA, however we can't get a clear explanation of what the ViaProxy tag means. Is this a reverse proxy feature of O365 for slower clients? Is this an end-user web browser proxy? Is this an anonymizer proxy? Please let me know if there can be further clarification on this log entry type.

    Thanks!

    none of those. Its referring to connections that are proxied from the CAS service on one Exchange Server in 365 to the mailbox server where the mailbox is currently homed. Its really just the way Exchange works.

    Thursday, December 19, 2019 4:47 PM
    Moderator
  • Andy,

    Thank you for the response, however we have several users who we analyzed as a control, and who use OWA regularly, that don't show the ViaProxy tag in their logs. How would that be possible?

    Thanks,

    Oliver

    Friday, December 20, 2019 9:29 PM
  • Andy,

    Thank you for the response, however we have several users who we analyzed as a control, and who use OWA regularly, that don't show the ViaProxy tag in their logs. How would that be possible?

    Thanks,

    Oliver

    It probably depends on what action is being taken and how its recorded in the audit logs.
    Sunday, December 22, 2019 2:15 PM
    Moderator
  • Unfortunately, that's not very helpful in analyzing the logs. Can you please give an example of what the distinction might be where two users are accessing OWA, where one gets the log entry ~ ClientInfoString:"Client=OWA;Action=ViaProxy"

    and the other gets the log entry ~ Client=OWA;Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.3 Safari\/605.1.15;"

    The second entry is very clear, on browser type and PC make/model/OS, etc. The first just says ViaProxy. I'm trying to give an example of how a user is accessing OWA, and why it doesn't give the information in the manner of the second entry.

    Thanks

    Monday, December 23, 2019 4:40 PM
  • What operation did the user take? What's the logon type?

    You can post the detailed audit log with "Action=ViaProxy" here, and please don't forget to cover the IP address, domain name and other personal information. We will check and test if Action=ViaProxy is related to specific operations.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, December 26, 2019 1:35 AM
    Moderator
  • Lydia,

    Thanks for your response. This itself is the issue. I don't know what the user behavior was. I was hoping the logs would tell me. If i had any sort of correlative behavioral data available, then i wouldn't need clarification. I was hoping Microsoft would have an explanation available for the different log entries. Recreating the separate actions, whatever they are, would answer the question, and not necessitate posting to this thread, but that would, once again, require knowledge of the user behavior. The reason I'm asking is to try to find a way to identify a possible malicious actor, or third party, accessing a user's account.

    Monday, December 30, 2019 2:03 PM
  • The operation, logon type and other details can be checked from the mailbox audit log as well. You can check the detailed audit logs to get more information related to Action=ViaProxy. This article can help you know more about how to check mailbox audit logs: How to use mailbox audit logs in Office 365

    You also can use this script and make some modification based on it: Get-MailboxAuditLoggingReport.ps1 – PowerShell Script to Generate a Report of Mailbox Audit Log Entries

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, January 1, 2020 8:06 AM
    Moderator