IIS X-Forward-For ISAPI Filter
A recent customer issue came up where they were load balancing servers but we unable to get the true client address logged in their IIS logs. They had their servers fronted by a BIG-IP and when clients would make requests the address passed to the server was the internal address and not that of the client. This is a common issue with proxies and fortunately there is a standard for forwarding client information. It is the HTTP X-Forwarded-For header which is handled by most proxies. So, I set out to find an existing ISAPI filter to replace the c-ip (client ip) log value in IIS with the contents of the X-Forwarded-For header (if it exists). I was amazed to find that I couldn't find a single instance of any open source (or even commercial) filter that would do this. So, I dug out Visual Studio and whipped up a filter that does just that. It's very basic and contains no user configuration so all you need to do is plug it into your Web Applications list of ISAPI Filters within the IIS Administration and you're set to go. We've released the source under the iControl End User License Agreement (available in any iControl SDK download). You can download it here. If you find a way to optimize this filter, please let me know and I'll update the sources here. After 24-hours of posting, a customer already returned some performance testing on the filter indicating that it only effected the traffic by less than 1 percent. I'm sure there are ways to optimize the memory allocation in the filter to speed this up a bit more, but I'll leave that for the community to work on. Oh, and it should be noted that the X-Forwarded-For header isn't supported the same way across all proxy products so you'll want to make sure you test this out before using it. It is expecting the header to only contain an IP Address as it does a straight substitution on the value in the c-ip section of the log entry. Enjoy! -Joe
health monitor IIS
Hello, I was wondering if someone can shed some light on a health monitor I am trying to setup. Ill give a brief overview of the setup. We have an application that gets proxied via apache ( apache are the nodes in the pool being monitored, acts as proxy nothing more) to IIS where the application actually lives. I am trying to setup a monitor so that it monitors say an index.html page on the IIS server something along the lines of Send string - http://Portal/dir/index.html receive string - IIS is up Tried to use this but nodes fail the health check when applying the monitor to the pool The service ports that its monitoring for are https Any help is greatly appreciated Thanks
IIS behind Big IP Windows Authentication
Hi everyone, I'm trying to load balance a couple of IIS web servers for a particular application. The website is configured with Windows Authentication. If i try to access the webpage directly to a server node , i'm able to get the content without any issues. Now if i tried to access the webpage through the F5 Virtual Server, i'm getting the credentials popup window. How can i accomplish this without? regards
iRule To Test Webpage Login
We have an issue where something in IIS will fail and external users will not be able to log into our webpage. I would like to either modify a current iRule and our create my own to test the login page on each webserver. I have tested and verified working health monitors for CPU and Memory load. And another health monitor for testing the url of the webpage ie abc.company.com on each webserver . The last piece would would be to stop directing traffic to the webserver that has the "IIS" webpage login issue until our dev team can figure out the issue. I was thinking of an iRule where I provide it a test username and password and the website url abc.company.com and it would try and login to the webpage on each webserver. If the page returns an error and is unable to log in the irule marks the node down and only keeps active connections. Once the iRule can log into the webpage it would automatically start directing traffic back to the node. Does anyone know if this can be done???
Can someone take a look and make sure I understand this right about reverse proxy
Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing. We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process. From my understanding the connection "route" is as follows: Internet-->ExtIP-->F5virtualIP-->IntIP The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server. There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load. I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.Microsoft IIS (Internet Information Services)
F5 Networks solutions engineers have worked with Microsoft IIS for over a decade, finding more and more ways for the BIG-IP system to accelerate, optimize, scale, and secure Microsoft IIS deployments. Our deployment guides and iApp templates for IIS are a result of this knowledge and experience, enabling organizations to spend valuable time and resources on other projects. And not only does F5 save your time and resources, but when the BIG-IP system relieves IIS servers from tasks such as compression, caching, and SSL processing, each server is able to devote more resources to running applications and can service more user requests. The following simple, logical configuration example shows the many different options for SSL processing on the BIG-IP system available in the iApp template and deployment guides for IIS. Seehttps://f5.com/solutions/deployment-guidesto find the appropriate deployment guide for quickly and accurately configuring the BIG-IP system for Microsoft IIS. If you have any feedback on these or other F5 guides or iApp templates, leave it in the comment section below or email us at solutionsfeedback@f5.com. We use your feedback to help shape our new iApps and deployment guides.HSTS / ASM connection drops
Hi All, We currently implement HSTS as an iRule on the F5, we also decrypt and inspect traffic with ASM. There are discussions internally on our side about adding HSTS to the web server responses on the actual server rather than from the F5. If we were to do this, is it possible/likely that F5 ASM decrypting the traffic will then result in connection drops? Thank you
