KEMP Load Balancer, Microsoft IIS, How to see Source IP address in Logfiles on Webserver

by butsch 2. February 2023 22:40

 

We once had a case where we should install an URL-Rewrite Module in IIS CAS 2010 to submit more info to Rapid 7 Solution. (This was in time range before all monthly leaks for 2013/2016/2019 came up to force all customers to M365 and it was unclear what the module would do inside Exchange etc.)

We used URL-Rewrite before for Webserver at ISP but it did at once like to use on IIS where you deinstall IIS Sites and re-install with and EXE, which runs 100 Powershell.

 

The CAS where behind a commercial KEMP Load Balancer HA. I just had the same case private on one of my Windows IIS webservers where i tunnel through several active components.

 

SOLUTION: How to see Source IP if you IIS Webserver is behind a KEMP Load Balancer.

Schema:

"WAN"-----"FW1"—"FW2"---"KEMP" (back: 192.168.185.105)-----(front: 192.168.151.70)"WEB SERVER/MS/IIS"

 

Info you have BEFORE in IIS Logfiles (You do not see the Source IP in IIS Logfiles)

2023-01-21 19:08:35 W3SVC2 web 192.168.185.105 GET /image.axd picture=041014_0945_WSUSWindows1.png 443 - 192.168.151.70 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36+Edg/109.0.1518.61 - www.butsch.ch 200 0 0 8644 742 4

Solution Info you have after our change in IIS Logfiles (Source IP at end)

2023-01-21 19:46:28 W3SVC2 web 192.168.185.105 GET /category/APP-V.aspx - 80 - 192.168.151.70 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/14.1+Safari/605.1.15 - - www.butsch.ch 404 0 0 23895 382 12 15.206.212.159

 

Go onto your KEMP/Also works with free community Version:

 

Select MODIFY Service, Under Advanced Properties change "Add HTTP Headers" to "X-Forwaded-For (No Via)" or try any other option and check on IIS side Logfiles what you see there.

 

Fiest make sure Loggin in IIS is installed (If not).

 

Here is what to change in IIS if you have logging active:

Change the LOGFILE Location to a Disk where you have space or monitor.

Source X-FORDWARDED-FOR that was the field you told him on the KEMP to include in any packet he sends back

 

APPLY

Cmd (Elevated)

IISRESET

Or Restart Server

You will see the Source-IP at the end of line:

 

2023-01-21 19:46:28 W3SVC2 web 192.168.185.105 GET /category/APP-V.aspx - 80 - 192.168.151.70 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/14.1+Safari/605.1.15 - - www.butsch.ch 404 0 0 23895 382 12 15.206.212.159

 

 

 

 

Tags:

Exchange 2016 | SECURITY | Microsoft Exchange | Microsoft Server OS

Comments are closed

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: