Welcome to ISAserver.org

Passing actual client IP address to IIS?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> Passing actual client IP address to IIS?

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

Passing actual client IP address to IIS? - 18.Feb.2001 5:59:00 AM

tphillips

Posts: 1
Joined: 18.Feb.2001
From: Dallas, TX USA
Status: offline

Looking at the IIS log files on the internal IIS servers, the external client IP address is always the ISA server. Is there a way to pass the actual external client IP address through to the IIS server?

TIA,

Terry G Phillips

Post #: 1

Featured Links*

RE: Passing actual client IP address to IIS? - 18.Feb.2001 6:33:00 AM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: online

Hi Terry,

From other conversations we've had on this topic, it appears that there isn't a way to do this

If anyone has some new ideas in this area, they would be great to hear!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to tphillips)

Post #: 2

RE: Passing actual client IP address to IIS? - 18.Feb.2001 11:30:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

Someone will need to write some code to go through the logs on ISA and parse out the information (at least it is concentrated in one place). A friend of mine did this to import large amounts of iis collected data to sql. He was a sharp programer but managed to write some com object to export the data from numerous sources in less than a day.

John

(in reply to tphillips)

Post #: 3

RE: Passing actual client IP address to IIS? - 20.Feb.2001 3:44:00 PM

Guest

i think, if you want receiver realy customer ip on your server behind iSA , you need to use server publishing on port 80, and you have original IP adress of customer.

(in reply to tphillips)

Post #: 4

RE: Passing actual client IP address to IIS? - 21.Feb.2001 9:40:00 AM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: online

Hi JN,

Server publishing listening on Port 80 of the external interface doesn't fix this problem. That's the default setting, and we've never seen the external client IP addresses on the internal web server.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to tphillips)

Post #: 5

RE: Passing actual client IP address to IIS? - 18.Mar.2001 11:11:00 PM

Mike5558

Posts: 23
Joined: 13.Feb.2001
From: Kennedale, TX USA
Status: offline

You guys are doing something wrong! I just looked at my IIS logs (server is published behind as server) and I have the real IP addresses of all the people hitting my wesbite.

But I am not using the WEB publishing portion of ISA server. I used server publishing and published port 80 (a Protocol definition I created for HTTP).

Try that. It works well for me.

Mike Murray

(in reply to tphillips)

Post #: 6

RE: Passing actual client IP address to IIS? - 19.Mar.2001 1:35:00 AM

Spong

Posts: 7
Joined: 17.Mar.2001
Status: offline

Sounds good, but what downsides exist to this method?
I'm guessing, but I'd expect:
Routing/Caching rules may not work as they do with Web Publishing rules - you might lose the forward caching flexibility benefits that you get using Web publishing.
You can't combine multiple internal sites into a single external site.

(in reply to tphillips)

Post #: 7

RE: Passing actual client IP address to IIS? - 19.Mar.2001 9:19:00 AM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: online

Hi Mike,

Since that time, I learned that indeed we were doing something wrong! You *can* use server publishing to publish an internal server on Port 80 of the external interface. It just takes a few tricks with the inbound web request listener.

There are some drawbacks. The major one is that you can publish only a single web site per IP address on the external interface of the ISA Server. Now, if you have a bunch of IP addresses, its not that much of a problem.

Another drawback is that you bypass the Web Proxy service, so you can to port and protocol redirection like you can with Web Publishing rules that use the Web Proxy service.

HTH,
Tom

quote:
Originally posted by Mike5558:
You guys are doing something wrong! I just looked at my IIS logs (server is published behind as server) and I have the real IP addresses of all the people hitting my wesbite.
But I am not using the WEB publishing portion of ISA server. I used server publishing and published port 80 (a Protocol definition I created for HTTP).
Try that. It works well for me.
Mike Murray

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to tphillips)

Post #: 8

RE: Passing actual client IP address to IIS? - 19.Mar.2001 8:01:00 PM

kfish

Posts: 15
Joined: 16.Mar.2001
From: Atlanta, Ga., USA
Status: offline

actually, by playin a few tricks, i have web published an internal server, and can see external addresses that are hitting it. I pulished the internal nic port from IIS with a port of 54321, published on the internal 192.*.*.* net,,, created a destination set for the external nic web server interface, then created a protocol rule. IT works GREAT! Took a little fiddling around with the routes, but now appears to do it in the designed way, and lets ISA do intrusion detection. If you want screen shots of this, let me know. I'll add to the ones i am creating for gaming zone .
Chris

quote:
Originally posted by tshinder:
Hi Mike,
Since that time, I learned that indeed we were doing something wrong! You *can* use server publishing to publish an internal server on Port 80 of the external interface. It just takes a few tricks with the inbound web request listener.
There are some drawbacks. The major one is that you can publish only a single web site per IP address on the external interface of the ISA Server. Now, if you have a bunch of IP addresses, its not that much of a problem.
Another drawback is that you bypass the Web Proxy service, so you can to port and protocol redirection like you can with Web Publishing rules that use the Web Proxy service.
HTH,
Tom

(in reply to tphillips)

Post #: 9

RE: Passing actual client IP address to IIS? - 19.Mar.2001 8:49:00 PM

kfish

Posts: 15
Joined: 16.Mar.2001
From: Atlanta, Ga., USA
Status: offline

you can publish the web server! create the web site on your internal interface with a unused port(s), create a destination set for your external web(s), then create a protocol rule. Works great, I can monitor sessions, and log web user addresses. Hopefully the advantage is also that intrusion detection is enabled on that external nic. if anyone wants details, i'll try to do some screen shots.
Chris

quote:
Originally posted by tshinder:
Hi Mike,
Since that time, I learned that indeed we were doing something wrong! You *can* use server publishing to publish an internal server on Port 80 of the external interface. It just takes a few tricks with the inbound web request listener.
There are some drawbacks. The major one is that you can publish only a single web site per IP address on the external interface of the ISA Server. Now, if you have a bunch of IP addresses, its not that much of a problem.
Another drawback is that you bypass the Web Proxy service, so you can to port and protocol redirection like you can with Web Publishing rules that use the Web Proxy service.
HTH,
Tom

(in reply to tphillips)

Post #: 10

RE: Passing actual client IP address to IIS? - 20.Mar.2001 10:57:00 PM

Mike5558

Posts: 23
Joined: 13.Feb.2001
From: Kennedale, TX USA
Status: offline

You ---CAN--- host multiple websites like this. I am doing it now. You simply use host headers on the IIS server that is behind the ISA server.

Mike

(in reply to tphillips)

Post #: 11

RE: Passing actual client IP address to IIS? - 21.Mar.2001 12:01:00 PM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: online

Mike,

You are a genius!

Of course, Host Headers will allow you to publish multiple web sites on the default HTTP port 80 *on a single server*. That's a great idea and a fantastic tip!

However, I think I should have been more specific about my statements regarding publishing web sites using Server Publishing.

You can publish a single *server* per IP address on Port 80 of the external interface(s). Now, you can get around the single web site limitation by using Host Headers, and now that I think about it, you can even get around the single server (sort of) by redirecting requests to another server on the network by configuring forwarding on the IIS server itself.

You still lose out on reverse proxy functionality, and you can limit access to the ISA Server only by using client address sets. The Web Proxy service allows you to use user/group authentication to access the proxy server's interface, so you lose a level of security, if you need it.

Nevertheless, you guys have done some excellent work at getting around the problem.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to tphillips)

Post #: 12

RE: Passing actual client IP address to IIS? - 7.May2001 6:15:00 AM

IdolWild

Posts: 12
Joined: 15.Apr.2001
From: Jupiter
Status: offline

Can someone explain the process of settings this up in a little more detail? I'm having a little trouble setting it up.

\ Thanks

(in reply to tphillips)

Post #: 13

RE: Passing actual client IP address to IIS? - 8.May2001 11:47:00 PM

IdolWild

Posts: 12
Joined: 15.Apr.2001
From: Jupiter
Status: offline

Anyone?

(in reply to tphillips)

Post #: 14

RE: Passing actual client IP address to IIS? - 9.May2001 10:49:00 AM

Guest

HI all ...

dont mind if im late with this posting ...

ive solved the Problem with getting original IP Address earlyer without ISA just W2k NAT & RRAS in activating in the TCP/IP Stack Settings the IP forwarding.

For MultiWebSite Hosting (IdolWild)

Create as many needed destination Sets like www.aaa.com Path /* (for hole domain otherwise just the path you need like OWA /exchange/*)

Create Publishing Rules for each destination . Thats it ..should work so did fine by me !

kind regards

Nuddelaug

(in reply to tphillips)

Post #: 15

RE: Passing actual client IP address to IIS? - 9.May2001 11:40:00 PM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: online

Hi IdolWild,

What part is not working?

Tom

quote:
Originally posted by IdolWild:
Can someone explain the process of settings this up in a little more detail? I'm having a little trouble setting it up.
\ Thanks

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

(in reply to tphillips)

Post #: 16

RE: Passing actual client IP address to IIS? - 10.May2001 9:10:00 PM

IdolWild

Posts: 12
Joined: 15.Apr.2001
From: Jupiter
Status: offline

I'm just having trouble with the process I guess - some of the replies in the thread were sort of conflicting in what to do - can anyone maybe give me a sort of step-by-step synopsis that worked for them? I'd appreciate it.

- IdolWild

(in reply to tphillips)

Post #: 17

RE: Passing actual client IP address to IIS? - 10.May2001 10:21:00 PM

powrserg

Posts: 6
Joined: 3.May2001
Status: offline

Hey kfish can you send me some snapshots of what you did I would gratly appreciate it, my address is powrserg@skyynet.com. Thanks.

(in reply to tphillips)

Post #: 18

RE: Passing actual client IP address to IIS? - 10.May2001 10:27:00 PM

powrserg

Posts: 6
Joined: 3.May2001
Status: offline

By the way I'm new here and I think Mr. Shinder is doing a great job with all the info that he provides, I bought the following book "ISA Configuration adn Admininstration" by Curt Simmons and I must say I truly regret the purchase, I will definetly buy Shinder's book as soon as I get my refund from that garbage I just bought.

(in reply to tphillips)

Post #: 19

RE: Passing actual client IP address to IIS? - 10.May2001 10:28:00 PM

IdolWild

Posts: 12
Joined: 15.Apr.2001
From: Jupiter
Status: offline

This post started quite some time ago and I was having the issue this weekend and came across it in a search - so I doubt he's even paying attention anymore - but if anyone else is and knows how to do this, give us some direction!

Thanks!

(in reply to tphillips)

Post #: 20