Link to home
Start Free TrialLog in
Avatar of mobot
mobotFlag for United States of America

asked on

IIS 10 and host headers?

Windows 2016 - IIS 10  I'm inexperienced with using host headers.  Our developers have an app that logs the ip's making a request.  They've explained that they're seeing the gateway address of the server, instead of the public address being logged.  Is this the normal behavior when using host headers, or should the public address be logged?  The xxx is indeed the servers gateway address, not a single public ip address is being logged.  If the public ip address should be logged.  What might I have mis-configured?  The internal users of the site have their ip address being logged correctly.  Thanks

C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip, count (c-ip) as requestcount from u_ex200206.log group by c-ip order by count(c-ip) desc"
c-ip          requestcount
------------- ------------  584795
Avatar of Zaheer Iqbal
Zaheer Iqbal
Flag of United Kingdom of Great Britain and Northern Ireland image

Are you load balanced ?

It sounds like you have a load balancer, in which case the web server will see the load balacer's IP. The solution is to have the load balancer I set a http header containing the public IP of the actual client.

We have had the same issue.
Avatar of mobot


No we don't have a load balancer in play.  I forgot to mention that we do have a FW in play, we are using static NAT.

The firewall behaves as an intermediary if it is seen as the source.
Reverse proxy?
Scanning connections, IDP, IDS

Connection, SSL or plain http?
Avatar of mobot


@arnold - no reverse proxy.  At the moment were not scanning for IDS, I turned off the UTM features.  Connection is using SSL.

Where does the SSL terminates? on the web server or on the firewall?
Avatar of mobot


@arnold - on the web server.
it is impossible for an inbound connection that terminates on the web server to appear as though it is originating from the firewall without the firewall performing source NAT modification. though seems peculiar as it will add overhead on the firewall to then translate the response back to the..
In short, inbound traffic, the Destination NAT is updated to point to the internal system for the packet. THe source should reflect the originating system's IP address.
In your case, besides the forwarding of the packet from the public IP to the internal one, the packet originating IP is also changed to reflect the Router/firewall as the sender.

double check the port forwarding configuration and see which options are enabled there.
Avatar of mobot


@arnold - we're not doing srcnat. we're doing dstnat.  The ip addy that's being recorded is not the address of the firewall, it's not the private address of the gateway assigned to the fw.  It's picking up the ip address of the private gateway assigned to that particular subnet.  To further aggravate me, I setup a site with an ip address and didn't use host headers for that site, the private ip of the subnet's gateway is still being recorded in the logs.
Thanks for the confirmation that the originating systems ip address is what should be recorded even if you are using host headers.
That is not possible by the information provide, something along big the path a path enters your network, dstnat changes the destination so it can hit the webserver, sonething alters the source ip, SNAT, to reflect the internal IP of your router/firewall.

While you might not think you set it up, the information presented negates your statement.
Somewhere you nat the inbound traffic. Do you have multiple paths to the internet? Are you using sd-wan?
Client ip         <nat>              router lan ip
Wan ip     <=>.            LAN side <=> web server

Based your info this is what happens to a packet,

Double check your port forwarding rule.
Avatar of mobot


@arnold - i agree with you something does alter the src_ip to reflect the internal ip.    
We are not using sd-wan.  We don't have multiple paths to the internet.  

I've got something on the fw misconfigured.
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mobot


Thank you Arnold, I did have NAT enabled on the policy, along with VIP's assigned to NAT the addresses.  We don't have a load balancer in play.
And thanks to Zaheer and Kevin for your suggestions.