For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

david_20684's avatar
david_20684
Icon for Nimbostratus rankNimbostratus
May 08, 2008

IP address and domain name restrictions in IIS

Has anyone come up with a solution for "IP Address and Domain Name Restrictions" settings in IIS behind an f5?     I would like to restrict access to our web servers running a private appli...
microsoft
partner
david_20684's avatar
david_20684
Icon for Nimbostratus rankNimbostratus
May 12, 2008
Hi Aaron,

 

 

I had to make some changes to the script as it waould not compile, just minor adjustments addedd or removed brackets. Can you confirm that what i have done is correct please?

 

 

when HTTP_REQUEST {

 

 

Check if there are any XFF headers

 

if {[HTTP::header exists X-Forwarded-For]}{

 

 

Log a debug message for deleting the current XFF header

 

log local0. "Removing XFF: [HTTP::header value X-Forwarded-For]"

 

 

Remove the current XFF header

 

HTTP::header remove X-Forwarded-For

 

}

 

Now that no XFF headers exist, insert a new one

 

HTTP::header insert X-Forwarded-For value [IP::client_addr] ]

 

}

 

 

However, if the script is correct it still isn't working as I cannot get the IP restrictions to work. My configuration is as follows: I have a VIP defined with two Microsoft IIS 6 webservers being load balanced with SNAT in the DMZ, rather a simple configuration. I also have x-forwarded-for installed as an ISAPI on the web servers for client address logging and it is working. I have a workstation on the inside network (private address) connecting via HTTP to the VIP address without any issues but as soon as i try to restrict access to the web site by denying all except certain addresses (address of the workstation) I get the usual 403 error message in the browser of the workstation.

 

 

Thanks

 

 

David