How to find Microsoft ISA server is using X Forward or if they are configured to mask all the internal IPs.

Hi

We use Microsoft ISA server as Proxy servers for two group of users within our network and my predecessors had set up these servers in the past. Our networking team are asking me, if these proxies are using X Forwarded or if they are configured to mask all the internal IPs.

I am not familiar with Microsoft ISA, please can you provide some tutorials as how to find whether these proxies are using X Forwarded or if they are configured to mask all the internal IPs.

Any help much appreciated
Thanks in advance.
lianne143Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
There is a XFF in HTTP header fields, you can see it using browser to your website or services via inspecting through the HTTP response (IE has developer tool to drill into that "Network" aspect, likewise for FF and Chrome). There is a mention of using Winfrasoft s/w in ISA to track such log specifically for XFF. It actually install a hook plug-in to log such occurrence.
http://www.isaserver.org/articles-tutorials/configuration-security/X-Forwarded-For-ISA-Firewall-Track-Originating-Client-Web-proxy-Chain-IIS.html
Or can be done via another packet sniffer or even in specific verified using a network analyzer, such as Wireshark or the old NetMon 3.x (http://www.microsoft.com/en-us/download/details.aspx?id=4865)

In short, X-Forwarded-For logging is supported by many web servers including Apache. Microsoft IIS 6.0 & 7.0 can use a third party ISAPI filter (like the above mentioned Winfrasoft X-Forwarded-For) for IIS to accomplish this task. IIS 7.0 can also use a HTTP Module (successor for ISAPI filter in IIS support) for this filtering.

Note that the firewall rules will not take into account the XFF header.
0
PaulOffordCommented:
IIS 7 and later has an Advanced Logging facility.  With Advanced Logging enabled you can include just about any header field in the IIS access log including X-FORWARDED-FOR.  See http://www.iis.net/learn/extensions/advanced-logging-module/advanced-logging-for-iis-custom-logging for details, in particular the section on Adding Custom Logging Fields.
0
btanExec ConsultantCommented:
For the adv logging, it also means that you have two hit logs to deal with. The advanced log must be viewed rather than the default log. This module logs to a separate file (located in ‘%SystemDrive%\inetpub\logs\AdvancedLogs’ by default). It is not hard to setup as shared by expert, and add a custom logging field entry into the config
5. From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following:
– in Field ID, type ‘ClientSourceIP’ (without quotes)
– in Category, select Default
– in Source Type, select Request Header
– in Source Name, type ‘X-Forwarded-For’ (without quotes)
– click the OK button on the Add Logging Field form
– click the OK button in the Edit Logging Fields form

6. In the central Advanced Logging pane, select %COMPUTERNAME%-server, and then complete the following:
– click Edit log Definition
– click the Select Fields button
– tick the ClientSourceIP field created earlier
– click the OK button on the Select Logging Fields form
– Click Apply in the actions pane
(note this adv log is not for iis6 and below which will still rely on ISAPI filter. A sample is shared in the article as well) See more from http://loadbalancer.org/blog//iis-and-x-forwarded-for-header

another means as shared earlier is via HTTP module for ii7 and above with sample like ARRHelper: http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx
OR another from F5 vendor (note it is not provided with official tech support) https://devcentral.f5.com/blogs/us/x-forwarded-for-http-module-for-iis7-source-included#.UdrYQ6TD9mM

in short, look out for the value of c-ip in the IIS logs to reflect the original client IP (or the so called your internal client ip)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.