|
Home > Archive > IIS Server Security > January 2006 > IP address and domain name restrictions behind a Proxy
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IP address and domain name restrictions behind a Proxy
|
|
|
| Hi all,
We want to control access to different sites with “IP address and domain
name restrictions” in IIS6 (2003 SP1) but ran into proxy problems.
The server is hosting a Citrix Webinterface 4.0 website and all traffic is
routed via/through Citrix Secure Gateway that acts as a proxy, CSG,
Webinterface and IIS is on the same server.
The variable REMOTE_ADDR returns 127.0.0.1 since the CSG is on the same
computer as IIS but there is an other variable HTTP_X_FORWARDED_FOR that is
set to store the client IP before CSG forwards the request to the IIS Server.
It seems that IIS6 looks in the REMOTE_ADDR variable for the IP address and
domain name restrictions.
Script example to get real client IP from Webinterface 4 code here
http://www.citrix4ge.de/wim/wimri.htm
Is there any way to get IIS6 to check client IP from alternative variable?
Thanks in advance
//Ben
| |
| David Wang [Msft] 2006-01-13, 10:26 pm |
| It is not a matter of getting IIS to check client IP from an alternate
variable. Please define how such an extensibility point is supposed to
function in a generic yet easily useful fashion.
There is no standard on how to forward the original IP in a proxy situation.
Thus IIS6 can only implement IP Restriction based on the value it got from
TCP.
It would not be hard to make a filter that looks up the custom HTTP header
and does something based on it, such as implement an IP restriction.
For example, the following is a filter which makes IIS log the client IP for
the request instead of the CSG's.
http://blogs.msdn.com/david.wang/ar...IS_Servers.aspx
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ben" <Ben@discussions.microsoft.com> wrote in message
news:03B60E7D-5054-45A7-BF50-5711900180EC@microsoft.com...
> Hi all,
>
> We want to control access to different sites with “IP address and domain
> name restrictions” in IIS6 (2003 SP1) but ran into proxy problems.
>
> The server is hosting a Citrix Webinterface 4.0 website and all traffic is
> routed via/through Citrix Secure Gateway that acts as a proxy, CSG,
> Webinterface and IIS is on the same server.
>
> The variable REMOTE_ADDR returns 127.0.0.1 since the CSG is on the same
> computer as IIS but there is an other variable HTTP_X_FORWARDED_FOR that
> is
> set to store the client IP before CSG forwards the request to the IIS
> Server.
> It seems that IIS6 looks in the REMOTE_ADDR variable for the IP address
> and
> domain name restrictions.
>
> Script example to get real client IP from Webinterface 4 code here
> http://www.citrix4ge.de/wim/wimri.htm
>
> Is there any way to get IIS6 to check client IP from alternative variable?
>
> Thanks in advance
> //Ben
>
|
|
|
|
|