- Windows OS
- Microsoft IIS Web Server
- Web Servers
IIS 10 and host headers?
Windows 2016 - IIS 10 I'm inexperienced with using host headers. Our developers have an app that logs the ip's making a request. They've explained that they're seeing the gateway address of the server, instead of the public address being logged. Is this the normal behavior when using host headers, or should the public address be logged? The xxx is indeed the servers gateway address, not a single public ip address is being logged. If the public ip address should be logged. What might I have mis-configured? The internal users of the site have their ip address being logged correctly. Thanks
C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip, count (c-ip) as requestcount from u_ex200206.log group by c-ip order by count(c-ip) desc"
c-ip requestcount
------------- ------------
xxx.xxx.xxx.xxx 584795
C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip, count (c-ip) as requestcount from u_ex200206.log group by c-ip order by count(c-ip) desc"
c-ip requestcount
------------- ------------
xxx.xxx.xxx.xxx 584795
It sounds like you have a load balancer, in which case the web server will see the load balacer's IP. The solution is to have the load balancer I set a http header containing the public IP of the actual client.
We have had the same issue.
We have had the same issue.
No we don't have a load balancer in play. I forgot to mention that we do have a FW in play, we are using static NAT.
Thanks
Thanks
The firewall behaves as an intermediary if it is seen as the source.
Reverse proxy?
Scanning connections, IDP, IDS
Connection, SSL or plain http?
Reverse proxy?
Scanning connections, IDP, IDS
Connection, SSL or plain http?
@arnold - no reverse proxy. At the moment were not scanning for IDS, I turned off the UTM features. Connection is using SSL.
Thanks
Thanks
it is impossible for an inbound connection that terminates on the web server to appear as though it is originating from the firewall without the firewall performing source NAT modification. though seems peculiar as it will add overhead on the firewall to then translate the response back to the..
In short, inbound traffic, the Destination NAT is updated to point to the internal system for the packet. THe source should reflect the originating system's IP address.
In your case, besides the forwarding of the packet from the public IP to the internal one, the packet originating IP is also changed to reflect the Router/firewall as the sender.
double check the port forwarding configuration and see which options are enabled there.
In short, inbound traffic, the Destination NAT is updated to point to the internal system for the packet. THe source should reflect the originating system's IP address.
In your case, besides the forwarding of the packet from the public IP to the internal one, the packet originating IP is also changed to reflect the Router/firewall as the sender.
double check the port forwarding configuration and see which options are enabled there.
@arnold - we're not doing srcnat. we're doing dstnat. The ip addy that's being recorded is not the address of the firewall, it's not the private address of the gateway assigned to the fw. It's picking up the ip address of the private gateway assigned to that particular subnet. To further aggravate me, I setup a site with an ip address and didn't use host headers for that site, the private ip of the subnet's gateway is still being recorded in the logs.
Thanks for the confirmation that the originating systems ip address is what should be recorded even if you are using host headers.
Thanks for the confirmation that the originating systems ip address is what should be recorded even if you are using host headers.
That is not possible by the information provide, something along big the path a path enters your network, dstnat changes the destination so it can hit the webserver, sonething alters the source ip, SNAT, to reflect the internal IP of your router/firewall.
While you might not think you set it up, the information presented negates your statement.
Somewhere you nat the inbound traffic. Do you have multiple paths to the internet? Are you using sd-wan?
Client ip <nat> router lan ip
Wan ip <=>. LAN side <=> web server
Based your info this is what happens to a packet,
Double check your port forwarding rule.
While you might not think you set it up, the information presented negates your statement.
Somewhere you nat the inbound traffic. Do you have multiple paths to the internet? Are you using sd-wan?
Client ip <nat> router lan ip
Wan ip <=>. LAN side <=> web server
Based your info this is what happens to a packet,
Double check your port forwarding rule.
@arnold - i agree with you something does alter the src_ip to reflect the internal ip.
We are not using sd-wan. We don't have multiple paths to the internet.
I've got something on the fw misconfigured.
We are not using sd-wan. We don't have multiple paths to the internet.
I've got something on the fw misconfigured.
Check the five's VIP definition for load diatribution whether you have the connection's NAT ticked.
The issue I think it is at the firewall versus on the loadbalancer because the webserver sees the requests coming from the firewall ip and it from an ip ofThe loadbalancer.
See if you can see sessions on the loadbalancer where you should see firewall gateway ip to the VIP, webserver lan ip.
The issue I think it is at the firewall versus on the loadbalancer because the webserver sees the requests coming from the firewall ip and it from an ip ofThe loadbalancer.
See if you can see sessions on the loadbalancer where you should see firewall gateway ip to the VIP, webserver lan ip.
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
How to completely delete an IIS Web site and clean up everything. -
![]()
wrote an Article
![]()
Difficult Windows 10 Problem
-
![]()
created a Video
![]()
Windows 10 Insider Preview 19033 review
-
Explore Cloud Class® ![]()
Certification: MCP Microsoft Certified Partner - Installing and Configuring Windows 7
Premium Content
You need an Expert Office subscription to comment.Start Free Trial