4th February

in Load Balancing

IIS and X-Forwarded-For Header

Posted by Rob Cooper

Although its not technically a standard, the XFF or x-forwarded-for header, is incredibly useful if you have any kind of proxy in front of your web servers.

When you load balance your web site at layer 7, it will become non-transparent. This means that the actual client source IP address is replaced by the load balancer’s own IP address, and therefore ONLY this address will be recorded in the IIS logs. One way around this is to insert X-Forwarded-For headers on the load balancer to track the actual client source IP address. IIS can then be reconfigured to make this data available in the logs.

NB. The other options to gain source IP transparency are to configure the load balancer in layer 4 NAT mode,  layer 4 DSR mode or Layer 7 with TPROXY enabled.

–> Were you were actually looking for how to do XFF on Apache?

The steps required to modify the logging behavior depend on your version of IIS:

Using XFF X-Forwarded-For with IIS 8.5 & later

In IIS 8.5 and later there is a new feature called “Enhanced Logging”. For more information please refer to this Microsoft link.

Using XFF X-Forwarded-For with IIS 7 & IIS 7.5

For IIS 7 & 7.5 the Advanced Logging add-on must be installed. This can be downloaded here. Once installed on the IIS server, you’ll see an extra option called ‘Advanced Logging’ in IIS.

To confgure and enable Advanced Logging, follow the steps below.

1. Start IIS Manager, then on the Connections pane on the left, click the appropriate server, web site, or directory where you want to configure Advanced Logging. The related Home page is displayed in the main panel.

2. From the Home page, under IIS, double-click Advanced Logging.

iis1 - Copy

3. From the Actions pane on the right, click Enable Advanced Logging.

iis2 - Copy

4. From the Actions pane on the right, click Edit Logging Fields.

iis3 - Copy

5. On the Edit Logging Fields window click Add Field, and then complete the following.

iis4a - Copy

– in Field ID, type ‘ClientSourceIP’ (without quotes)
– in Category, type “Default” (without quotes)
– in Source type, select Request Header
– in Source name, type ‘X-Forwarded-For’ (without quotes)
– click OK on the Add Logging Field form
– click OK on the Edit Logging Fields form

6. From the Actions pane on the right, click Add Log Definition.

iis5 - Copy

7. Enter “Client Source IP” in the Base file name field.

iis6a - Copy

8. Click Select Fields.

iis7 - Copy

– Check (enable) the ClientSourceIP field created earlier

9. Click OK on the Select Logging Fields form, then click Apply in the actions pane.

10. Click Return To Advanced Logging in the actions pane.

11. Run iisreset /restart to apply the new settings.

12. The advanced log must be viewed rather than the default log. The advanced log is located in %SystemDrive%\inetpub\logs\AdvancedLogs. To view the logs, right-click the Client Source IP log definition and click View Log Files.

iis8 - Copy

Using XFF x-forwarded-for with IIS 6 

Unfortunately, the Microsoft solution mentioned above is not available for IIS 6. luckily there are a number of solutions available to address this limitation – some that cost money and others that have been released as open source. One excellent example that we’ve tested with our products is F5’s X-Forwarded-For ISAPI filter. It’s avaialable in both in 32 & 64 bit versions.

1. Download the zipped archive from here and extract to an appropriate folder

2. Navigate to the relevant version (32 or 64 bit)

3. Copy F5XForwardedFor.dll to a suitable location on your server, e.g. C:\ISAPIfilters

4. Make sure you have ISAPI Filters enabled on your IIS server

5. Open IIS Manager, right-click the site and select Properties

6. Select the ISAPI Filters tab

7. Click ‘add’, then in the popup enter a suitable name and select the DLL file stored in step 3

8. Restart your website

That’s it – you should now start seeing the IP address of the client PC’s in your IIS logs rather than the IP of the load balancer.

About the author

Rob Cooper

Rob’s been with the company since 2010 and helps to maintain the critical link between the Sales, Support and Development departments by providing deployment, testing and documentation skills. He’s also responsible for all Microsoft and VMware approvals and certifications and ensuring ongoing compliance. When not at the Loadbalancer.org offices he enjoys getting out on his boat as well as playing bass guitar.

Live chat
› Operator: Theo › Theo: Can I help you?
Click here to chat |
Send