Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
3
Replies

Content Switch replacing Client IP in IIS Logs

etrade.admin
Level 1
Level 1

‎10-26-2010 10:51 PM

Hello Guys,


I have been facing this problem ever since we configured our content switch infront of our web server. The IIS logs in the web server now show the content switch IP in the 'c-ip' column.

Below is configuration for the website:

service GlobalInv
  port 80
  protocol tcp
  ip address 172.21.21.31
  active

owner GlobalWebSite
        
  content GlobalInv-http
    vip address 172.21.21.52
    add service GlobalInv
    port 80
    protocol tcp
    advanced-balance sticky-srcip
    active

group GlobalInv
  vip address 172.21.21.52
  add destination service GlobalInv
  active

Can someone please help me tellin as to how I can have the actual client IP addresses shown in my IIS logs instead of the content switch IP.

Please this is very important to us.

Labels:
0 Helpful
3 Replies 3

jsirstin
Level 1
Level 1

‎10-27-2010 12:07 PM

Shahim,

The only way you can get the original client IP to show up in the server logs is to not use the service GlobalInv in the group. If you remove this service from the group you will need to insure that the server replies back to the CSS. This can be done by changing the default gateway of the server, or using policy based routing (PBR) to force the server reply back to the CSS. You generally need to use client nat with the group command when using a one-armed config, or the servers are not local to the CSS. If you can share your topology I can take a look at it.

Regards

Jim

0 Helpful

etrade.admin
Level 1
Level 1
In response to jsirstin

‎10-27-2010 10:56 PM

Thanks Jim,

I am sorry but am not an export in CCS, it would be a great help to me if you can instruct me on how I can actually achieve this.

I have already set the default gateway of my web server to the Content switch.

My topology is quite simple, both the content switch & the web server are in the DMZ zone (same subnet) and are connected to the same switch. Users from outside & inside the company access our corporate website through the content switch

Below is the configuration of my content switch (with the related config marked in red):

CSS-GLOBAL# sh runn
!Generated on 10/26/2010 23:14:04
!Active version: sg0810106

configure


!*************************** GLOBAL ***************************
  dns primary 172.21.1.13
  dns secondary 192.168.0.50

  ssl associate rsakey eglobal eglobal.pem
  ssl associate cert eglobal-selfsigned eglobal.selfsigned.pem
  ssl associate rsakey glopedia glopedia.pem
  ssl associate cert glopedia glopedia.selfsigned.pem
  ssl associate cert eglobal-versign e-global-verisign.pem
  ssl associate cert glopedia-verisign glopedia-verisign.pem
  ssl associate cert EGlobal-Web EGlobal-Web.pem
  ssl associate cert EGlobal-Web-Chain EGlobal-Web.pem
  ssl associate cert Glopedia-Web-Chain Glopedia-Web.pem

  ftp-record conf 172.16.143.43 shahim des-password 1bnc2hnduhmgjend /

  ip route 0.0.0.0 0.0.0.0 172.21.21.1 1
  ip route 172.21.1.0 255.255.255.0 172.21.21.4 1
  ip route 172.16.0.0 255.255.0.0 172.21.21.4 1
  ip route 192.168.0.0 255.255.255.0 172.21.21.4 1

!************************* INTERFACE *************************
interface e1
  description "To Global Switch Foundary"

!************************** CIRCUIT **************************
circuit VLAN1

  ip address 172.21.21.49 255.255.255.0

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL-Proxy-List
  ssl-server 51
  ssl-server 51 rsakey eglobal
  ssl-server 51 vip address 172.21.21.51
  ssl-server 51 cipher rsa-with-rc4-128-md5 172.21.21.51 80 weight 10
  ssl-server 51 cipher rsa-with-rc4-128-sha 172.21.21.51 80 weight 8
  ssl-server 51 cipher rsa-export-with-rc4-40-md5 172.21.21.51 80 weight 5
  ssl-server 50
  ssl-server 50 rsakey glopedia
  ssl-server 50 vip address 172.21.21.50
  ssl-server 50 cipher rsa-with-rc4-128-md5 172.21.21.50 80 weight 10
  ssl-server 50 cipher rsa-with-rc4-128-sha 172.21.21.50 80 weight 8
  ssl-server 50 cipher rsa-export-with-rc4-40-md5 172.21.21.50 80 weight 5
  ssl-server 50 urlrewrite 1 *
  ssl-server 51 urlrewrite 1 *
  ssl-server 51 rsacert EGlobal-Web-Chain
  ssl-server 50 rsacert Glopedia-Web-Chain
  active

!************************** SERVICE **************************
service E-Global-https
  ip address 172.21.21.32
  port 80
  protocol tcp
  active

service Ghalia
  port 81
  protocol tcp
  ip address 172.21.21.31
  active

service GlobalInv
  port 80
  protocol tcp
  ip address 172.21.21.31
  active

service dms
  ip address 172.21.1.115
  port 80
  protocol tcp
  keepalive type http
  active

service eglobal-http
  port 80
  protocol tcp
  ip address 172.21.21.32
  keepalive type http
  active

service email
  ip address 172.21.1.122
  port 80
  protocol tcp
  keepalive type http
  active

service email123
  ip address 172.21.1.123
  port 80
  protocol tcp
  keepalive type http
  active

service glopedia
  ip address 192.168.2.32
  port 80
  protocol tcp
  active

service glopedia-expapps
  ip address 192.168.2.32
  port 4028
  protocol tcp
  active

service secure-transfer
  type redirect
  no prepend-http
  ip address 172.21.21.32
  keepalive type none
  domain https://www.e-global.com.kw
  active

service ssl-eglobal
  type ssl-accel
  keepalive type none
  slot 2
  add ssl-proxy-list SSL-Proxy-List
  active

service workflow
  ip address 172.21.21.44
  port 80
  protocol tcp
  keepalive type http
  active

!*************************** OWNER ***************************
owner EGlobal

  content eglobal-http
    vip address 172.21.21.51
    no persistent
    protocol tcp
    port 80
    url "/*"
    add service eglobal-http
    active

  content eglobal-https
    vip address 172.21.21.51
    protocol tcp
    port 443
    add service ssl-eglobal
    active

owner GhaliaWebSite

  content Ghalia-http
    vip address 172.21.21.53
    add service Ghalia
    protocol tcp
    port 80
    active

owner GlobalWebSite

  content GlobalInv-http
    vip address 172.21.21.52
    add service GlobalInv
    port 80
    protocol tcp
    advanced-balance sticky-srcip
    active

owner Glopedia

  content bpmweb
    vip address 172.21.21.50
    url "/workflow"
    protocol tcp
    port 80
    redirect "/bpmweb"
    active

  content cyberdocs
    vip address 172.21.21.50
    add service dms
    protocol tcp
    port 80
    url "/CyberDocs*"
    active
        
  content dms
    vip address 172.21.21.50
    url "/dms*"
    redirect "/CyberDocs"
    protocol tcp
    port 80
    active

  content email
    vip address 172.21.21.50
    no persistent
    url "/email"
    protocol tcp
    port 80
    redirect "/owa"
    active

  content glopedia-expapps
    vip address 172.21.21.50
    add service glopedia-expapps
    no persistent
    port 4028
    protocol tcp
    active

  content glopedia-http
    vip address 172.21.21.50
    add service glopedia
    no persistent
    protocol tcp
    port 80
    url "/*"
    active

  content glopedia-https
    vip address 172.21.21.50
    add service ssl-eglobal
    protocol tcp
    port 443
    active

  content owa
    vip address 172.21.21.50
    add service email123
    protocol tcp
    port 80
    url "/owa*"
    active

  content workflow
    vip address 172.21.21.50
    add service workflow
    no persistent
    protocol tcp
    port 80
    url "/bpmweb*"
    active

!*************************** GROUP ***************************
group Ghalia
  vip address 172.21.21.53
  add destination service Ghalia
  active

group GlobalInv
  vip address 172.21.21.52
  add destination service GlobalInv
  active

group dms
  vip address 172.21.21.50
  add destination service dms
  add destination service email
  add destination service workflow
  add destination service glopedia
  add destination service email123
  add destination service glopedia-expapps
  active

group eglobal
  vip address 172.21.21.51
  add destination service eglobal-http
  active

0 Helpful

jsirstin
Level 1
Level 1
In response to etrade.admin

‎10-28-2010 07:55 AM

Shahim,

You have two options here.

One is to have the server use the CSS as the default gateway and remove the service from the group command.

group GlobalInv
  vip address 172.21.21.52
  add destination service GlobalInv   Remove this service from the group.
  active

This is fine for load balancing but any traffic sourced from or destined to the server direct will only have half the conversation passing through the CSS. You may see the CSS flag this traffic as possible DOS attacks.

The second option is to move to a bridge design. in this case you create a second layer 2 vlan on the switch and plug a second interface on the CSS to this new vlan. From the CSS perspective both interfaces are part of vlan 1 and will bridge the two vlans on the switch. Any servers that need to see the original client IP address for load balancing would be placed in this new vlan. The IP and gateway of the servers do not need to be changed. Servers would still point to the switch not the CSS as the default gateway. There is no need for client nat in this topology since the servers are behind the CSS.

      switch

Vlan 1   |     Vlan2----- servcie Globallnv

   |                  |

  E1-----CSS---E2

Let me know if you need more clarification?

Best regards

Jim

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card