IP address and domain name restrictions in IIS

Hi Aaron,

 

 

I had to make some changes to the script as it waould not compile, just minor adjustments addedd or removed brackets. Can you confirm that what i have done is correct please?

 

 

when HTTP_REQUEST {

 

 

Check if there are any XFF headers

 

if {[HTTP::header exists X-Forwarded-For]}{

 

 

Log a debug message for deleting the current XFF header

 

log local0. "Removing XFF: [HTTP::header value X-Forwarded-For]"

 

 

Remove the current XFF header

 

HTTP::header remove X-Forwarded-For

 

}

 

Now that no XFF headers exist, insert a new one

 

HTTP::header insert X-Forwarded-For value [IP::client_addr] ]

 

}

 

 

However, if the script is correct it still isn't working as I cannot get the IP restrictions to work. My configuration is as follows: I have a VIP defined with two Microsoft IIS 6 webservers being load balanced with SNAT in the DMZ, rather a simple configuration. I also have x-forwarded-for installed as an ISAPI on the web servers for client address logging and it is working. I have a workstation on the inside network (private address) connecting via HTTP to the VIP address without any issues but as soon as i try to restrict access to the web site by denying all except certain addresses (address of the workstation) I get the usual 403 error message in the browser of the workstation.

 

 

Thanks

 

 

David