Solved: How to pass original Client IP to load balanced IIS servers

pmajumder · ‎08-17-2010

Hi All,

I have a pair of CSS 11500 content services switches fronting our IIS web servers farm. On these IIS servers the IIS logs are enabled for our websites. However, when I analyze the IIS logs the client IP is always the IP address of the load balancer, and not the real client IP.

Can anyone help me configure the content switch to send the real IP, or is there some other method which will allow IIS to log the real client IP?

Any advice/pointers would be much appreciated.

Thanks,

Pradeep

Gilles Dufour · ‎08-18-2010

Before changing the equipment, you should check if you have any "group" in your config.

If your servers are using the CSS as default gateway, those groups could be safely removed and the CSS will stop changing the client ip address.

Gilles.

View solution in original post

litrenta · ‎08-19-2010

If you really have no group command with "add destination service" then the client traffic will go to the server with the client ip as the source. The service won't get any other traffic with the css address except for the keepalive

keepalive Agents1-Prodkeepalive
type http
port 80
method get
ip address y.y.y.y

uri "/CSservice/KeepAlive.html"
retryperiod 20
maxfailure 1
frequency 60
active

this keepalive request will get to the server with the circuit ip of the CSS as the source.

View solution in original post

litrenta · ‎08-17-2010

This is most likely due to having source groups with add destination services configured (each service in each content rule is added to a source group as add destination service). This is done when the topology is such that the server's default gateway is not the CSS and/or the server's return traffic does not pass back through the CSS to be natted. A source group with the services added as destination services will nat the client's source IP to the group's VIP when that service is selected from a LB decision; this forces the server's response to pass through the CSS. So, the topology needs to be re-examined if you require the client's source IP to be maintained. The server's response must go through the CSS either by setting the server's default gateway as the CSS or using PBR on a Cat switch.

On the ACE we have the ability to insert an http header such as x-forwarded-for with the client ip then with an isapi filter on the IIS server you can log client ip's rather than the source ip.

pmajumder · ‎08-18-2010

Hi,

Thanks for the response. We do have all our servers configured to use the CSS as their default gateway. I also have the services defined for each server 93 total) and then I have added those three services to my content rule.

You mention the ACE and the ability "to insert an http header such as x-forwarded-for with the client ip then with an isapi filter on the IIS server". Could you please elaborate and let me know where I can obtain those tools/filter?

Thanks Again,

Pradeep

scott-goodwin · ‎08-18-2010

HI There,

Just as a side note, you will also need a parameter map to insert the ip in every packet, otherwise you get the server guys moaning that the forwarding aint working

Gilles Dufour · ‎08-18-2010

Before changing the equipment, you should check if you have any "group" in your config.

If your servers are using the CSS as default gateway, those groups could be safely removed and the CSS will stop changing the client ip address.

Gilles.

litrenta · ‎08-19-2010

If the servers use the css as default gateway , nake sure you don't have a group with "add destination service" for the services involved in this load balance flow. Then the CSS will deliver the traffic to the server with the client ip as the source address.

code example for the filter (which will compile with visual studio) can be found at

http://blogs.msdn.com/b/david.wang/archive/2005/09/28/howto-isapi-filter-which-logs-original-client-ip-for-load-balanced-iis-servers.aspx

You can find an IIS7 plug in at

http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx

google isapi x-forwarded it is a very popular topic.

pmajumder · ‎08-19-2010

Hi,

Thank you both for the suggestions. I do not have any group command related to these three servers. What I have are one service rule for the sorry server, 3 Service rules, 3 keepalive rules and then the content rule as follows:

service Agents-ProdSorry
ip address z.z.z.z

port 80
protocol tcp
redundant-index 72
active

keepalive Agents1-Prodkeepalive
type http
port 80
method get
ip address y.y.y.y

uri "/CSservice/KeepAlive.html"
retryperiod 20
maxfailure 1
frequency 60
active

service Agents1-Prod
ip address y.y.y.y
protocol tcp
keepalive type named Agents1-Prodkeepalive
redundant-index 49
active

content Agents-Prod
vip address x.x.x.x

    protocol tcp
    port 80
    balance weightedrr
    add service Agents1-Prod
    add service Agents2-Prod
    add service Agents3-Prod
    primarySorryServer Agents-ProdSorry
    redundant-index 64
    advanced-balance sticky-srcip
    sticky-inact-timeout 20
    active

Clearly it sounds like it should work, but I must be doing something else incorrectly.

Thanks,

Pradeep

litrenta · ‎08-19-2010

If you really have no group command with "add destination service" then the client traffic will go to the server with the client ip as the source. The service won't get any other traffic with the css address except for the keepalive

keepalive Agents1-Prodkeepalive
type http
port 80
method get
ip address y.y.y.y

uri "/CSservice/KeepAlive.html"
retryperiod 20
maxfailure 1
frequency 60
active

this keepalive request will get to the server with the circuit ip of the CSS as the source.

pmajumder · ‎08-20-2010

That was it. I was just looking at the keepalive requests in the log and assumed everything else would alos have the CSS's address. It is keeping up the real client IP.

Thank you very much for the knowledge and the pointer.

Thanks,

Pradeep

etrade.admin · ‎10-26-2010

I am facing the same problem.

Could you please help me too...

I have a webserver configured on the content switch & now when I check the IIS logs, all the IP addresses are of the content switch instead of the client machines.

I am attaching my configure for you to review

CSS-GLOBAL# sh runn
!Generated on 10/26/2010 23:14:04
!Active version: sg0810106

configure

!*************************** GLOBAL ***************************
dns primary 172.21.1.13
dns secondary 192.168.0.50

ssl associate rsakey eglobal eglobal.pem
ssl associate cert eglobal-selfsigned eglobal.selfsigned.pem
ssl associate rsakey glopedia glopedia.pem
ssl associate cert glopedia glopedia.selfsigned.pem
ssl associate cert eglobal-versign e-global-verisign.pem
ssl associate cert glopedia-verisign glopedia-verisign.pem
ssl associate cert EGlobal-Web EGlobal-Web.pem
ssl associate cert EGlobal-Web-Chain EGlobal-Web.pem
ssl associate cert Glopedia-Web-Chain Glopedia-Web.pem

ftp-record conf 172.16.143.43 shahim des-password 1bnc2hnduhmgjend /

ip route 0.0.0.0 0.0.0.0 172.21.21.1 1
ip route 172.21.1.0 255.255.255.0 172.21.21.4 1
ip route 172.16.0.0 255.255.0.0 172.21.21.4 1
ip route 192.168.0.0 255.255.255.0 172.21.21.4 1

!************************* INTERFACE *************************
interface e1
description "To Global Switch Foundary"

!************************** CIRCUIT **************************
circuit VLAN1

ip address 172.21.21.49 255.255.255.0

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL-Proxy-List
ssl-server 51
ssl-server 51 rsakey eglobal
ssl-server 51 vip address 172.21.21.51
ssl-server 51 cipher rsa-with-rc4-128-md5 172.21.21.51 80 weight 10
ssl-server 51 cipher rsa-with-rc4-128-sha 172.21.21.51 80 weight 8
ssl-server 51 cipher rsa-export-with-rc4-40-md5 172.21.21.51 80 weight 5
ssl-server 50
ssl-server 50 rsakey glopedia
ssl-server 50 vip address 172.21.21.50
ssl-server 50 cipher rsa-with-rc4-128-md5 172.21.21.50 80 weight 10
ssl-server 50 cipher rsa-with-rc4-128-sha 172.21.21.50 80 weight 8
ssl-server 50 cipher rsa-export-with-rc4-40-md5 172.21.21.50 80 weight 5
ssl-server 50 urlrewrite 1 *
ssl-server 51 urlrewrite 1 *
ssl-server 51 rsacert EGlobal-Web-Chain
ssl-server 50 rsacert Glopedia-Web-Chain
active

!************************** SERVICE **************************
service E-Global-https
ip address 172.21.21.32
port 80
protocol tcp
active

service Ghalia
port 81
protocol tcp
ip address 172.21.21.31
active

service GlobalInv
port 80
protocol tcp
ip address 172.21.21.31
active

service dms
ip address 172.21.1.115
port 80
protocol tcp
keepalive type http
active

service eglobal-http
port 80
protocol tcp
ip address 172.21.21.32
keepalive type http
active

service email
ip address 172.21.1.122
port 80
protocol tcp
keepalive type http
active

service email123
ip address 172.21.1.123
port 80
protocol tcp
keepalive type http
active

service glopedia
ip address 192.168.2.32
port 80
protocol tcp
active

service glopedia-expapps
ip address 192.168.2.32
port 4028
protocol tcp
active

service secure-transfer
type redirect
no prepend-http
ip address 172.21.21.32
keepalive type none
domain https://www.e-global.com.kw
active

service ssl-eglobal
type ssl-accel
keepalive type none
slot 2
add ssl-proxy-list SSL-Proxy-List
active

service workflow
ip address 172.21.21.44
port 80
protocol tcp
keepalive type http
active

!*************************** OWNER ***************************
owner EGlobal

content eglobal-http
    vip address 172.21.21.51
    no persistent
    protocol tcp
    port 80
    url "/*"
    add service eglobal-http
    active

content eglobal-https
    vip address 172.21.21.51
    protocol tcp
    port 443
    add service ssl-eglobal
    active

owner GhaliaWebSite

content Ghalia-http
    vip address 172.21.21.53
    add service Ghalia
    protocol tcp
    port 80
    active

owner GlobalWebSite

content GlobalInv-http
    vip address 172.21.21.52
    add service GlobalInv
    port 80
    protocol tcp
    advanced-balance sticky-srcip
    active

owner Glopedia

content bpmweb
    vip address 172.21.21.50
    url "/workflow"
    protocol tcp
    port 80
    redirect "/bpmweb"
    active

content cyberdocs
    vip address 172.21.21.50
    add service dms
    protocol tcp
    port 80
    url "/CyberDocs*"
    active

content dms
    vip address 172.21.21.50
    url "/dms*"
    redirect "/CyberDocs"
    protocol tcp
    port 80
    active

content email
    vip address 172.21.21.50
    no persistent
    url "/email"
    protocol tcp
    port 80
    redirect "/owa"
    active

content glopedia-expapps
    vip address 172.21.21.50
    add service glopedia-expapps
    no persistent
    port 4028
    protocol tcp
    active

content glopedia-http
    vip address 172.21.21.50
    add service glopedia
    no persistent
    protocol tcp
    port 80
    url "/*"
    active

content glopedia-https
    vip address 172.21.21.50
    add service ssl-eglobal
    protocol tcp
    port 443
    active

content owa
    vip address 172.21.21.50
    add service email123
    protocol tcp
    port 80
    url "/owa*"
    active

content workflow
    vip address 172.21.21.50
    add service workflow
    no persistent
    protocol tcp
    port 80
    url "/bpmweb*"
    active

!*************************** GROUP ***************************
group Ghalia
vip address 172.21.21.53
add destination service Ghalia
active

group GlobalInv
vip address 172.21.21.52
add destination service GlobalInv
active

group dms
vip address 172.21.21.50
add destination service dms
add destination service email
add destination service workflow
add destination service glopedia
add destination service email123
add destination service glopedia-expapps
active

group eglobal
vip address 172.21.21.51
add destination service eglobal-http
active