For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Pure_Krome_7392's avatar
Pure_Krome_7392
Icon for Nimbostratus rankNimbostratus
Nov 30, 2007

Unable to determine client IP - please help!

Hi Folks,

 

we're using an F5 BIG-IP to load balance our windows IIS servers. We host our sites at some hosting company. Everything seems to be working fine.

 

 

When i check the LOG FILE, every ip address of the client (requesting data from the IIS server) is an IP address from (i'm guessing) within the hosting company : 64.151.105.* I know this is not the real client IP because i created a support ticket a while back and they somehow created an extra custom x-header (HTTP_RLNCLIENTIPADDR) with the real ip of the request (which i've confirmed is correct with various IP's on public machines, when i dump the request information to the web page).

 

 

So ... without knowing the exact version the BIG-IP hardware machine we are using is ...

 

 

** Is it possible to replace the client-ip value with the user's real one? If so, is there a help doc that can explain this please?

 

 

this way, our IIS logs will report the REAL client IP for accurate analysis.

 

 

thank you kindly.

 

 

-PK-
application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 30, 2007
    Hello there,

     

     

    If you can't change the default gateway on the IIS servers to the self IP of the BIG-IP, you can configure the BIG-IP to insert the original client IP address in a custom HTTP header named X-Forwarded-For. Joe Pruitt wrote an ISAPI DLL you can install on your IIS servers to log the custom header in the IIS logs. Here are some related posts:

     

     

     

     

    SOL4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic being translated by a SNAT

     

    Click here

     

     

    IIS ISAPI DLL to log x-forwarded-for

     

    Click here

     

     

    Aaron

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 04, 2007
    Based on a read through of other users and Joe's comments (Click here), it looks like the DLL will replace the value of the C-IP field in the IIS logs with the parsed value of the X-Forwarded-For header. I believe he parses out internal IP addresses and writes the remaining IPs in a comma plus (1.1.1.1, +2.2.2.2) separated list. So if the BIG-IP is configured to insert the X-Forwarded-For header and you enable this DLL on your web server(s), you should see in the C-IP field, what the BIG-IP got as the source IP of the TCP packet it received.

     

     

    A self IP address is an address the BIG-IP uses to source requests as well as receive them as a gateway. Take a look at the Network & System Mgmt Guide for details (Click here).

     

     

    The reason that you are seeing the BIG-IP address in the IIS logs is that you either have SNAT enabled on the virtual server or you have a default SNAT defined which matches the requests to the IIS servers. Typically the reason you would have a SNAT enabled is because the web servers do not have their default gateway set to the BIG-IP. Enabling SNAT in this scenario forces the web servers to respond back to the BIG-IP and ensures symmetric routing. I was suggesting that if you were able to set the default gateway of the web servers to the BIG-IP's floating self IP address (or static self IP if you have a standalone unit), you could avoid the need to translate the source address of requests to the web servers.

     

     

    Aaron