IP address and domain name restrictions in IIS

Hi,

 

 

Are you performing/do you need to perform source address translation on the BIG-IP? If not, you can configure the BIG-IP to not translate source addresses on requests sent to the pool. This requires that the servers have a route back to the client through the BIG-IP. This would typically be done by setting the default gateway of the servers to the BIG-IP's floating self IP on the server VLAN.

 

 

If you do need to perform source address translation for symmetric routing, the simplest method for passing details about the original client IP address is by inserting a custom HTTP header with the original client IP address. You can do this on the HTTP profile. But if you're using the value for authentication, it would be much more secure to use an iRule to remove all instances of the header and then insert a new header. The application would need to parse this custom HTTP header to get the client IP address. I'm not sure you can configure a default IIS installation to parse the header for authentication purposes though.

 

 

Another option would be to implement the IP address / host name checking in an iRule on the BIG-IP. It would be relatively straightforward to write a rule which does IP / host / URI validation before sending requests to the pool. There are quite a few examples of this in the iRule forum.

 

 

If you have questions on these options, let us know. If you pick one option and want help setting it up we can provide examples.

 

 

Aaron