How to pass original Client IP to load balanced IIS servers

Answered Question
Aug 17th, 2010
User Badges:

Hi All,

I have a pair of CSS 11500 content services switches fronting our IIS web servers farm. On these IIS servers the IIS logs are enabled for our websites. However, when I analyze the IIS logs the client IP is always the IP address of the load balancer, and not the real client IP.


Can anyone help me configure the content switch to send the real IP, or is there some other method which will allow IIS to log the real client IP?


Any advice/pointers would be much appreciated.



Thanks,

Pradeep

Correct Answer by litrenta about 6 years 7 months ago

If you really have no group command with "add destination service" then the client traffic will go to the server with the client ip as the source. The service won't get any other traffic with the css address except for the keepalive



keepalive Agents1-Prodkeepalive
  type http
  port 80
  method get
  ip address y.y.y.y

  uri "/CSservice/KeepAlive.html"
  retryperiod 20
  maxfailure 1
  frequency 60
  active


this keepalive request will get to the server with the circuit ip of the CSS as the source.

Correct Answer by Gilles Dufour about 6 years 7 months ago

Before changing the equipment, you should check if you have any "group" in your config.

If your servers are using the CSS as default gateway, those groups could be safely removed and the CSS will stop changing the client ip address.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
litrenta Tue, 08/17/2010 - 11:38
User Badges:
  • Cisco Employee,

This is most likely due to having source groups with add destination services configured (each service in each content rule is added to a source group as add destination service). This is done when the topology is such that the server's default gateway is not the CSS and/or the server's return traffic does not pass back through the CSS to be natted.  A source group with the services added as destination services will nat the client's source IP to the group's VIP when that service is selected from a LB decision; this forces the server's response to pass through the CSS.  So, the topology needs to be re-examined if you require the client's source IP to be maintained.  The server's response must go through the CSS either by setting the server's default gateway as the CSS or using PBR on a Cat switch.


On the ACE we have the ability to insert an http header such as x-forwarded-for with the client ip then with an isapi filter on the IIS server you can log client ip's rather than the source ip.

pmajumder Wed, 08/18/2010 - 09:46
User Badges:

Hi,

Thanks for the response. We do have all our servers configured to use the CSS as their default gateway. I also have the services defined for each server 93 total) and then I have added those three services to my content rule.


You mention the ACE and the ability "to insert an http header such as x-forwarded-for with the client ip then with an isapi filter on the IIS server". Could you please elaborate and let me know where I can obtain those tools/filter?


Thanks Again,

Pradeep

scott-goodwin Wed, 08/18/2010 - 10:14
User Badges:

HI There,


Just as a side note, you will also need a parameter map to insert the ip in every packet, otherwise you get the server guys moaning that the forwarding aint working

Correct Answer
Gilles Dufour Wed, 08/18/2010 - 16:14
User Badges:
  • Cisco Employee,

Before changing the equipment, you should check if you have any "group" in your config.

If your servers are using the CSS as default gateway, those groups could be safely removed and the CSS will stop changing the client ip address.


Gilles.

litrenta Thu, 08/19/2010 - 05:31
User Badges:
  • Cisco Employee,

If the servers use the css as default gateway , nake sure you don't have a group with "add destination service" for the services involved in this load balance flow. Then the CSS will deliver the traffic to the server with the client ip as the source address.


code example for the filter (which will compile with visual studio) can be found at


http://blogs.msdn.com/b/david.wang/archive/2005/09/28/howto-isapi-filter-which-logs-original-client-ip-for-load-balanced-iis-servers.aspx


You can find an IIS7 plug in at


http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx


google isapi x-forwarded  it is a very popular topic.

pmajumder Thu, 08/19/2010 - 13:16
User Badges:

Hi,

Thank you both for the suggestions. I do not have any group command related to these three servers. What I have are one service rule for the sorry server, 3 Service rules, 3 keepalive rules and then the content rule as follows:


service Agents-ProdSorry
  ip address z.z.z.z

  port 80
  protocol tcp
  redundant-index 72
  active


keepalive Agents1-Prodkeepalive
  type http
  port 80
  method get
  ip address y.y.y.y

  uri "/CSservice/KeepAlive.html"
  retryperiod 20
  maxfailure 1
  frequency 60
  active


service Agents1-Prod
  ip address y.y.y.y
  protocol tcp
  keepalive type named Agents1-Prodkeepalive
  redundant-index 49
  active


content Agents-Prod
    vip address x.x.x.x

    protocol tcp
    port 80
    balance weightedrr
    add service Agents1-Prod
    add service Agents2-Prod
    add service Agents3-Prod
    primarySorryServer Agents-ProdSorry
    redundant-index 64
    advanced-balance sticky-srcip
    sticky-inact-timeout 20
    active


Clearly it sounds like it should work, but I must be doing something else incorrectly.


Thanks,

Pradeep

Correct Answer
litrenta Thu, 08/19/2010 - 13:38
User Badges:
  • Cisco Employee,

If you really have no group command with "add destination service" then the client traffic will go to the server with the client ip as the source. The service won't get any other traffic with the css address except for the keepalive



keepalive Agents1-Prodkeepalive
  type http
  port 80
  method get
  ip address y.y.y.y

  uri "/CSservice/KeepAlive.html"
  retryperiod 20
  maxfailure 1
  frequency 60
  active


this keepalive request will get to the server with the circuit ip of the CSS as the source.

pmajumder Fri, 08/20/2010 - 08:16
User Badges:

That was it. I was just looking at the keepalive requests in the log and assumed everything else would alos have the CSS's address. It is keeping up the real client IP.


Thank you very much for the knowledge and the pointer.


Thanks,

Pradeep

etrade.admin Tue, 10/26/2010 - 23:14
User Badges:

I am facing the same problem.


Could you please help me too...


I have a webserver configured on the content switch & now when I check the IIS logs, all the IP addresses are of the content switch instead of the client machines.


I am attaching my configure for you to review


CSS-GLOBAL# sh runn
!Generated on 10/26/2010 23:14:04
!Active version: sg0810106


configure



!*************************** GLOBAL ***************************
  dns primary 172.21.1.13
  dns secondary 192.168.0.50


  ssl associate rsakey eglobal eglobal.pem
  ssl associate cert eglobal-selfsigned eglobal.selfsigned.pem
  ssl associate rsakey glopedia glopedia.pem
  ssl associate cert glopedia glopedia.selfsigned.pem
  ssl associate cert eglobal-versign e-global-verisign.pem
  ssl associate cert glopedia-verisign glopedia-verisign.pem
  ssl associate cert EGlobal-Web EGlobal-Web.pem
  ssl associate cert EGlobal-Web-Chain EGlobal-Web.pem
  ssl associate cert Glopedia-Web-Chain Glopedia-Web.pem


  ftp-record conf 172.16.143.43 shahim des-password 1bnc2hnduhmgjend /


  ip route 0.0.0.0 0.0.0.0 172.21.21.1 1
  ip route 172.21.1.0 255.255.255.0 172.21.21.4 1
  ip route 172.16.0.0 255.255.0.0 172.21.21.4 1
  ip route 192.168.0.0 255.255.255.0 172.21.21.4 1


!************************* INTERFACE *************************
interface e1
  description "To Global Switch Foundary"


!************************** CIRCUIT **************************
circuit VLAN1


  ip address 172.21.21.49 255.255.255.0


!*********************** SSL PROXY LIST ***********************
ssl-proxy-list SSL-Proxy-List
  ssl-server 51
  ssl-server 51 rsakey eglobal
  ssl-server 51 vip address 172.21.21.51
  ssl-server 51 cipher rsa-with-rc4-128-md5 172.21.21.51 80 weight 10
  ssl-server 51 cipher rsa-with-rc4-128-sha 172.21.21.51 80 weight 8
  ssl-server 51 cipher rsa-export-with-rc4-40-md5 172.21.21.51 80 weight 5
  ssl-server 50
  ssl-server 50 rsakey glopedia
  ssl-server 50 vip address 172.21.21.50
  ssl-server 50 cipher rsa-with-rc4-128-md5 172.21.21.50 80 weight 10
  ssl-server 50 cipher rsa-with-rc4-128-sha 172.21.21.50 80 weight 8
  ssl-server 50 cipher rsa-export-with-rc4-40-md5 172.21.21.50 80 weight 5
  ssl-server 50 urlrewrite 1 *
  ssl-server 51 urlrewrite 1 *
  ssl-server 51 rsacert EGlobal-Web-Chain
  ssl-server 50 rsacert Glopedia-Web-Chain
  active


!************************** SERVICE **************************
service E-Global-https
  ip address 172.21.21.32
  port 80
  protocol tcp
  active


service Ghalia
  port 81
  protocol tcp
  ip address 172.21.21.31
  active


service GlobalInv
  port 80
  protocol tcp
  ip address 172.21.21.31
  active


service dms
  ip address 172.21.1.115
  port 80
  protocol tcp
  keepalive type http
  active


service eglobal-http
  port 80
  protocol tcp
  ip address 172.21.21.32
  keepalive type http
  active


service email
  ip address 172.21.1.122
  port 80
  protocol tcp
  keepalive type http
  active


service email123
  ip address 172.21.1.123
  port 80
  protocol tcp
  keepalive type http
  active


service glopedia
  ip address 192.168.2.32
  port 80
  protocol tcp
  active


service glopedia-expapps
  ip address 192.168.2.32
  port 4028
  protocol tcp
  active


service secure-transfer
  type redirect
  no prepend-http
  ip address 172.21.21.32
  keepalive type none
  domain https://www.e-global.com.kw
  active


service ssl-eglobal
  type ssl-accel
  keepalive type none
  slot 2
  add ssl-proxy-list SSL-Proxy-List
  active


service workflow
  ip address 172.21.21.44
  port 80
  protocol tcp
  keepalive type http
  active


!*************************** OWNER ***************************
owner EGlobal


  content eglobal-http
    vip address 172.21.21.51
    no persistent
    protocol tcp
    port 80
    url "/*"
    add service eglobal-http
    active


  content eglobal-https
    vip address 172.21.21.51
    protocol tcp
    port 443
    add service ssl-eglobal
    active


owner GhaliaWebSite


  content Ghalia-http
    vip address 172.21.21.53
    add service Ghalia
    protocol tcp
    port 80
    active


owner GlobalWebSite


  content GlobalInv-http
    vip address 172.21.21.52
    add service GlobalInv
    port 80
    protocol tcp
    advanced-balance sticky-srcip
    active


owner Glopedia


  content bpmweb
    vip address 172.21.21.50
    url "/workflow"
    protocol tcp
    port 80
    redirect "/bpmweb"
    active


  content cyberdocs
    vip address 172.21.21.50
    add service dms
    protocol tcp
    port 80
    url "/CyberDocs*"
    active
        
  content dms
    vip address 172.21.21.50
    url "/dms*"
    redirect "/CyberDocs"
    protocol tcp
    port 80
    active


  content email
    vip address 172.21.21.50
    no persistent
    url "/email"
    protocol tcp
    port 80
    redirect "/owa"
    active


  content glopedia-expapps
    vip address 172.21.21.50
    add service glopedia-expapps
    no persistent
    port 4028
    protocol tcp
    active


  content glopedia-http
    vip address 172.21.21.50
    add service glopedia
    no persistent
    protocol tcp
    port 80
    url "/*"
    active


  content glopedia-https
    vip address 172.21.21.50
    add service ssl-eglobal
    protocol tcp
    port 443
    active


  content owa
    vip address 172.21.21.50
    add service email123
    protocol tcp
    port 80
    url "/owa*"
    active


  content workflow
    vip address 172.21.21.50
    add service workflow
    no persistent
    protocol tcp
    port 80
    url "/bpmweb*"
    active


!*************************** GROUP ***************************
group Ghalia
  vip address 172.21.21.53
  add destination service Ghalia
  active


group GlobalInv
  vip address 172.21.21.52
  add destination service GlobalInv
  active


group dms
  vip address 172.21.21.50
  add destination service dms
  add destination service email
  add destination service workflow
  add destination service glopedia
  add destination service email123
  add destination service glopedia-expapps
  active


group eglobal
  vip address 172.21.21.51
  add destination service eglobal-http
  active

Actions

This Discussion