topic Re: Content Switch replacing Client IP in IIS Logs in Application Networking

Content Switch replacing Client IP in IIS Logs

etrade.admin — Wed, 27 Oct 2010 05:51:40 GMT

Hello Guys,

I have been facing this problem ever since we configured our content switch infront of our web server. The IIS logs in the web server now show the content switch IP in the 'c-ip' column.

Below is configuration for the website:

service GlobalInv
port 80
protocol tcp
ip address 172.21.21.31
active

owner GlobalWebSite

content GlobalInv-http
    vip address 172.21.21.52
    add service GlobalInv
    port 80
    protocol tcp
    advanced-balance sticky-srcip
    active

group GlobalInv
vip address 172.21.21.52
add destination service GlobalInv
active

Can someone please help me tellin as to how I can have the actual client IP addresses shown in my IIS logs instead of the content switch IP.

Please this is very important to us.

Re: Content Switch replacing Client IP in IIS Logs

jsirstin — Wed, 27 Oct 2010 19:07:11 GMT

Shahim,

The only way you can get the original client IP to show up in the server logs is to not use the service GlobalInv in the group. If you remove this service from the group you will need to insure that the server replies back to the CSS. This can be done by changing the default gateway of the server, or using policy based routing (PBR) to force the server reply back to the CSS. You generally need to use client nat with the group command when using a one-armed config, or the servers are not local to the CSS. If you can share your topology I can take a look at it.

Regards

Jim

Re: Content Switch replacing Client IP in IIS Logs

etrade.admin — Thu, 28 Oct 2010 05:56:47 GMT

Thanks Jim,

I am sorry but am not an export in CCS, it would be a great help to me if you can instruct me on how I can actually achieve this.

I have already set the default gateway of my web server to the Content switch.

My topology is quite simple, both the content switch & the web server are in the DMZ zone (same subnet) and are connected to the same switch. Users from outside & inside the company access our corporate website through the content switch

Below is the configuration of my content switch (with the related config marked in red):

CSS-GLOBAL# sh runn
!Generated on 10/26/2010 23:14:04
!Active version: sg0810106

configure

!*************************** GLOBAL ***************************
dns primary 172.21.1.13
dns secondary 192.168.0.50

ssl associate rsakey eglobal eglobal.pem
ssl associate cert eglobal-selfsigned eglobal.selfsigned.pem
ssl associate rsakey glopedia glopedia.pem
ssl associate cert glopedia glopedia.selfsigned.pem
ssl associate cert eglobal-versign e-global-verisign.pem
ssl associate cert glopedia-verisign glopedia-verisign.pem
ssl associate cert EGlobal-Web EGlobal-Web.pem
ssl associate cert EGlobal-Web-Chain EGlobal-Web.pem
ssl associate cert Glopedia-Web-Chain Glopedia-Web.pem

ftp-record conf 172.16.143.43 shahim des-password 1bnc2hnduhmgjend /

ip route 0.0.0.0 0.0.0.0 172.21.21.1 1
ip route 172.21.1.0 255.255.255.0 172.21.21.4 1
ip route 172.16.0.0 255.255.0.0 172.21.21.4 1
ip route 192.168.0.0 255.255.255.0 172.21.21.4 1

!************************* INTERFACE *************************
interface e1
description "To Global Switch Foundary"

!************************** CIRCUIT **************************
circuit VLAN1

ip address 172.21.21.49 255.255.255.0

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL-Proxy-List
ssl-server 51
ssl-server 51 rsakey eglobal
ssl-server 51 vip address 172.21.21.51
ssl-server 51 cipher rsa-with-rc4-128-md5 172.21.21.51 80 weight 10
ssl-server 51 cipher rsa-with-rc4-128-sha 172.21.21.51 80 weight 8
ssl-server 51 cipher rsa-export-with-rc4-40-md5 172.21.21.51 80 weight 5
ssl-server 50
ssl-server 50 rsakey glopedia
ssl-server 50 vip address 172.21.21.50
ssl-server 50 cipher rsa-with-rc4-128-md5 172.21.21.50 80 weight 10
ssl-server 50 cipher rsa-with-rc4-128-sha 172.21.21.50 80 weight 8
ssl-server 50 cipher rsa-export-with-rc4-40-md5 172.21.21.50 80 weight 5
ssl-server 50 urlrewrite 1 *
ssl-server 51 urlrewrite 1 *
ssl-server 51 rsacert EGlobal-Web-Chain
ssl-server 50 rsacert Glopedia-Web-Chain
active

!************************** SERVICE **************************
service E-Global-https
ip address 172.21.21.32
port 80
protocol tcp
active

service Ghalia
port 81
protocol tcp
ip address 172.21.21.31
active

service GlobalInv
port 80
protocol tcp
ip address 172.21.21.31
active

service dms
ip address 172.21.1.115
port 80
protocol tcp
keepalive type http
active

service eglobal-http
port 80
protocol tcp
ip address 172.21.21.32
keepalive type http
active

service email
ip address 172.21.1.122
port 80
protocol tcp
keepalive type http
active

service email123
ip address 172.21.1.123
port 80
protocol tcp
keepalive type http
active

service glopedia
ip address 192.168.2.32
port 80
protocol tcp
active

service glopedia-expapps
ip address 192.168.2.32
port 4028
protocol tcp
active

service secure-transfer
type redirect
no prepend-http
ip address 172.21.21.32
keepalive type none
domain https://www.e-global.com.kw
active

service ssl-eglobal
type ssl-accel
keepalive type none
slot 2
add ssl-proxy-list SSL-Proxy-List
active

service workflow
ip address 172.21.21.44
port 80
protocol tcp
keepalive type http
active

!*************************** OWNER ***************************
owner EGlobal

content eglobal-http
    vip address 172.21.21.51
    no persistent
    protocol tcp
    port 80
    url "/*"
    add service eglobal-http
    active

content eglobal-https
    vip address 172.21.21.51
    protocol tcp
    port 443
    add service ssl-eglobal
    active

owner GhaliaWebSite

content Ghalia-http
    vip address 172.21.21.53
    add service Ghalia
    protocol tcp
    port 80
    active

owner GlobalWebSite

content GlobalInv-http
    vip address 172.21.21.52
    add service GlobalInv
    port 80
    protocol tcp
    advanced-balance sticky-srcip
    active

owner Glopedia

content bpmweb
    vip address 172.21.21.50
    url "/workflow"
    protocol tcp
    port 80
    redirect "/bpmweb"
    active

content cyberdocs
    vip address 172.21.21.50
    add service dms
    protocol tcp
    port 80
    url "/CyberDocs*"
    active

content dms
    vip address 172.21.21.50
    url "/dms*"
    redirect "/CyberDocs"
    protocol tcp
    port 80
    active

content email
    vip address 172.21.21.50
    no persistent
    url "/email"
    protocol tcp
    port 80
    redirect "/owa"
    active

content glopedia-expapps
    vip address 172.21.21.50
    add service glopedia-expapps
    no persistent
    port 4028
    protocol tcp
    active

content glopedia-http
    vip address 172.21.21.50
    add service glopedia
    no persistent
    protocol tcp
    port 80
    url "/*"
    active

content glopedia-https
    vip address 172.21.21.50
    add service ssl-eglobal
    protocol tcp
    port 443
    active

content owa
    vip address 172.21.21.50
    add service email123
    protocol tcp
    port 80
    url "/owa*"
    active

content workflow
    vip address 172.21.21.50
    add service workflow
    no persistent
    protocol tcp
    port 80
    url "/bpmweb*"
    active

!*************************** GROUP ***************************
group Ghalia
vip address 172.21.21.53
add destination service Ghalia
active

group GlobalInv
vip address 172.21.21.52
add destination service GlobalInv
active

group dms
vip address 172.21.21.50
add destination service dms
add destination service email
add destination service workflow
add destination service glopedia
add destination service email123
add destination service glopedia-expapps
active

group eglobal
vip address 172.21.21.51
add destination service eglobal-http
active

Re: Content Switch replacing Client IP in IIS Logs

jsirstin — Thu, 28 Oct 2010 14:55:38 GMT

Shahim,

You have two options here.

One is to have the server use the CSS as the default gateway and remove the service from the group command.

group GlobalInv
vip address 172.21.21.52
add destination service GlobalInv Remove this service from the group.
active

This is fine for load balancing but any traffic sourced from or destined to the server direct will only have half the conversation passing through the CSS. You may see the CSS flag this traffic as possible DOS attacks.

The second option is to move to a bridge design. in this case you create a second layer 2 vlan on the switch and plug a second interface on the CSS to this new vlan. From the CSS perspective both interfaces are part of vlan 1 and will bridge the two vlans on the switch. Any servers that need to see the original client IP address for load balancing would be placed in this new vlan. The IP and gateway of the servers do not need to be changed. Servers would still point to the switch not the CSS as the default gateway. There is no need for client nat in this topology since the servers are behind the CSS.

switch

Vlan 1 | Vlan2----- servcie Globallnv

| |

E1-----CSS---E2

Let me know if you need more clarification?

Best regards

Jim