๐ How to Log SSL/TLS Protocols in IIS for Exchange Server
Hey Exchange admins!
Ever wondered which TLS protocols your clients are actually using to connect to your Exchange Server?
With the push towards stronger encryption (TLS 1.2, TLS 1.3) and deprecating older versions, it's critical to know what's happening on the wire.
Ever wondered which TLS protocols your clients are actually using to connect to your Exchange Server?
With the push towards stronger encryption (TLS 1.2, TLS 1.3) and deprecating older versions, it's critical to know what's happening on the wire.
Today, let's look at how to log the CRYPT_PROTOCOL variable in IIS to monitor SSL/TLS usage for your Exchange web services.
⚙️ Why This Matters
Exchange Server relies heavily on IIS for all client connectivity:
✅ Outlook on the web (OWA)
✅ ECP
✅ EWS
✅ ActiveSync
✅ RPC/HTTP (Outlook Anywhere)
✅ Outlook on the web (OWA)
✅ ECP
✅ EWS
✅ ActiveSync
✅ RPC/HTTP (Outlook Anywhere)
If you want to retire TLS 1.0/1.1, you need proof that no clients still rely on them. IIS logging with
CRYPT_PROTOCOL shows you exactly which protocol version was negotiated for each request. ๐ How to Enable Logging for CRYPT_PROTOCOL
Here's a simple step-by-step:
1️⃣ Open IIS Manager
- Open the Internet Information Services (IIS) Manager on your Exchange Server.
2️⃣ Navigate to the Right Site
- Expand
Sites➜Default Web Site(or any custom site hosting Exchange virtual directories).
3️⃣ Open Logging Settings
- Click on Logging in the middle pane.
4️⃣ Edit Log Fields
- Click Select Fields…
5️⃣ Add Custom Field
- In the W3C Logging Fields window, scroll down to Custom Fields.
- Click Add Field…
- Field Name: crypt-protocol
- Source Type: Server Variable
- Source:
CRYPT_PROTOCOL
6️⃣ Apply & Save
- Click OK to save the new field.
- Apply the configuration.
๐ Where to Find the Logs
- By default, the logs are stored under:
C:\inetpub\logs\LogFiles\W3SVC1 - Open them with Notepad or Excel.
- Look for the
crypt-protocolcolumn — you'll see values like 40 = TLS 1.1, 400 = 1.2, or older versions if they're still being used.
๐งน Clean Up Old Protocols
Once you have data, you can:
✅ Identify outdated clients or devices still using TLS 1.0/1.1.
✅ Plan upgrades or retire legacy connections.
✅ Harden your environment by disabling older protocols once you're sure they're unused.
✅ Identify outdated clients or devices still using TLS 1.0/1.1.
✅ Plan upgrades or retire legacy connections.
✅ Harden your environment by disabling older protocols once you're sure they're unused.
✨ Bonus Tip: Automate Analysis
The raw logs can be huge. You can:
- Use Log Parser Studio or PowerShell to filter
crypt-protocolusage. - Visualize trends to show management why it's safe to disable older protocols.
๐ Closing Thoughts
๐ Keeping Exchange secure means keeping your TLS config up-to-date — and logging
CRYPT_PROTOCOL in IIS is a simple but powerful step to monitor your real-world usage. ๐ฌ Are you logging your protocols? Any surprises in your environment? Drop a comment and let's share insights!
Comments
Post a Comment