Avatar of mobot
mobot
Flag for United States of America asked on

IIS 10 and host headers?

Windows 2016 - IIS 10  I'm inexperienced with using host headers.  Our developers have an app that logs the ip's making a request.  They've explained that they're seeing the gateway address of the server, instead of the public address being logged.  Is this the normal behavior when using host headers, or should the public address be logged?  The xxx is indeed the servers gateway address, not a single public ip address is being logged.  If the public ip address should be logged.  What might I have mis-configured?  The internal users of the site have their ip address being logged correctly.  Thanks

C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip, count (c-ip) as requestcount from u_ex200206.log group by c-ip order by count(c-ip) desc"
c-ip          requestcount
------------- ------------
xxx.xxx.xxx.xxx  584795
Windows OSMicrosoft IIS Web Server

Avatar of undefined
Last Comment
mobot

8/22/2022 - Mon
Zaheer Iqbal

Are you load balanced ?

kevinhsieh

It sounds like you have a load balancer, in which case the web server will see the load balacer's IP. The solution is to have the load balancer I set a http header containing the public IP of the actual client.

We have had the same issue.
mobot

ASKER
No we don't have a load balancer in play.  I forgot to mention that we do have a FW in play, we are using static NAT.

Thanks
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
arnold

The firewall behaves as an intermediary if it is seen as the source.
Reverse proxy?
Scanning connections, IDP, IDS

Connection, SSL or plain http?
mobot

ASKER
@arnold - no reverse proxy.  At the moment were not scanning for IDS, I turned off the UTM features.  Connection is using SSL.

Thanks
arnold

Where does the SSL terminates? on the web server or on the firewall?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
mobot

ASKER
@arnold - on the web server.
arnold

it is impossible for an inbound connection that terminates on the web server to appear as though it is originating from the firewall without the firewall performing source NAT modification. though seems peculiar as it will add overhead on the firewall to then translate the response back to the..
In short, inbound traffic, the Destination NAT is updated to point to the internal system for the packet. THe source should reflect the originating system's IP address.
In your case, besides the forwarding of the packet from the public IP to the internal one, the packet originating IP is also changed to reflect the Router/firewall as the sender.

double check the port forwarding configuration and see which options are enabled there.
mobot

ASKER
@arnold - we're not doing srcnat. we're doing dstnat.  The ip addy that's being recorded is not the address of the firewall, it's not the private address of the gateway assigned to the fw.  It's picking up the ip address of the private gateway assigned to that particular subnet.  To further aggravate me, I setup a site with an ip address and didn't use host headers for that site, the private ip of the subnet's gateway is still being recorded in the logs.
Thanks for the confirmation that the originating systems ip address is what should be recorded even if you are using host headers.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
arnold

That is not possible by the information provide, something along big the path a path enters your network, dstnat changes the destination so it can hit the webserver, sonething alters the source ip, SNAT, to reflect the internal IP of your router/firewall.

While you might not think you set it up, the information presented negates your statement.
Somewhere you nat the inbound traffic. Do you have multiple paths to the internet? Are you using sd-wan?
Client ip         <nat>              router lan ip
Wan ip     <=>.            LAN side <=> web server

Based your info this is what happens to a packet,

Double check your port forwarding rule.
mobot

ASKER
@arnold - i agree with you something does alter the src_ip to reflect the internal ip.    
We are not using sd-wan.  We don't have multiple paths to the internet.  

I've got something on the fw misconfigured.
ASKER CERTIFIED SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
mobot

ASKER
Thank you Arnold, I did have NAT enabled on the policy, along with VIP's assigned to NAT the addresses.  We don't have a load balancer in play.
And thanks to Zaheer and Kevin for your suggestions.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.