We help IT Professionals succeed at work.

IIS 10 and host headers?

Windows 2016 - IIS 10  I'm inexperienced with using host headers.  Our developers have an app that logs the ip's making a request.  They've explained that they're seeing the gateway address of the server, instead of the public address being logged.  Is this the normal behavior when using host headers, or should the public address be logged?  The xxx is indeed the servers gateway address, not a single public ip address is being logged.  If the public ip address should be logged.  What might I have mis-configured?  The internal users of the site have their ip address being logged correctly.  Thanks

C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip, count (c-ip) as requestcount from u_ex200206.log group by c-ip order by count(c-ip) desc"
c-ip          requestcount
------------- ------------
xxx.xxx.xxx.xxx  584795
Comment
Watch Question

Zaheer IqbalTechnical Assurance & Implementation
BRONZE EXPERT

Commented:

Are you load balanced ?

kevinhsiehNetwork Engineer
BRONZE EXPERT

Commented:
It sounds like you have a load balancer, in which case the web server will see the load balacer's IP. The solution is to have the load balancer I set a http header containing the public IP of the actual client.

We have had the same issue.

Author

Commented:
No we don't have a load balancer in play.  I forgot to mention that we do have a FW in play, we are using static NAT.

Thanks
SILVER EXPERT
Distinguished Expert 2019

Commented:
The firewall behaves as an intermediary if it is seen as the source.
Reverse proxy?
Scanning connections, IDP, IDS

Connection, SSL or plain http?

Author

Commented:
@arnold - no reverse proxy.  At the moment were not scanning for IDS, I turned off the UTM features.  Connection is using SSL.

Thanks
SILVER EXPERT
Distinguished Expert 2019

Commented:
Where does the SSL terminates? on the web server or on the firewall?

Author

Commented:
@arnold - on the web server.
SILVER EXPERT
Distinguished Expert 2019

Commented:
it is impossible for an inbound connection that terminates on the web server to appear as though it is originating from the firewall without the firewall performing source NAT modification. though seems peculiar as it will add overhead on the firewall to then translate the response back to the..
In short, inbound traffic, the Destination NAT is updated to point to the internal system for the packet. THe source should reflect the originating system's IP address.
In your case, besides the forwarding of the packet from the public IP to the internal one, the packet originating IP is also changed to reflect the Router/firewall as the sender.

double check the port forwarding configuration and see which options are enabled there.

Author

Commented:
@arnold - we're not doing srcnat. we're doing dstnat.  The ip addy that's being recorded is not the address of the firewall, it's not the private address of the gateway assigned to the fw.  It's picking up the ip address of the private gateway assigned to that particular subnet.  To further aggravate me, I setup a site with an ip address and didn't use host headers for that site, the private ip of the subnet's gateway is still being recorded in the logs.
Thanks for the confirmation that the originating systems ip address is what should be recorded even if you are using host headers.
SILVER EXPERT
Distinguished Expert 2019

Commented:
That is not possible by the information provide, something along big the path a path enters your network, dstnat changes the destination so it can hit the webserver, sonething alters the source ip, SNAT, to reflect the internal IP of your router/firewall.

While you might not think you set it up, the information presented negates your statement.
Somewhere you nat the inbound traffic. Do you have multiple paths to the internet? Are you using sd-wan?
Client ip         <nat>              router lan ip
Wan ip     <=>.            LAN side <=> web server

Based your info this is what happens to a packet,

Double check your port forwarding rule.

Author

Commented:
@arnold - i agree with you something does alter the src_ip to reflect the internal ip.    
We are not using sd-wan.  We don't have multiple paths to the internet.  

I've got something on the fw misconfigured.
SILVER EXPERT
Distinguished Expert 2019
Commented:
Check the five's VIP definition for load diatribution whether you have the connection's NAT ticked.

The issue I think it is at the firewall versus on the loadbalancer because the webserver sees the requests coming from the firewall ip and it from an ip ofThe loadbalancer.

See if you can see sessions on the loadbalancer where you should see firewall gateway ip to the VIP, webserver lan ip.

Author

Commented:
Thank you Arnold, I did have NAT enabled on the policy, along with VIP's assigned to NAT the addresses.  We don't have a load balancer in play.
And thanks to Zaheer and Kevin for your suggestions.