Web log issue: ISA server replaces visitor's IPs with local IPs on SBS

Discussion in 'Windows Small Business Server' started by Nicolas Verhaeghe, Aug 12, 2005.

  1. I have a fully-loaded SBS 2003 Premium and it seems that all the public IPs
    (c-id field) in the IIS6 logs are replaced with that of the machine.

    According to the software manufacturer (Weblog Expert), this is due to ISA.

    When I look at the log files, sure enough, c-id is that of the machine.

    I am in a situation where each Web site has its own private and public IP
    because of the fact that they each use their own SSL key.

    My Sonicwall does one-to-one NAT and maps each Web site to its own IP. The
    NIC has more than one IP address and in IIS6 each Web site is linked to its
    own private IP.

    ISA seems to be forcing the visitors IP (c-id) to Private IP #1 for Web site
    #1 and Private IP #2 for Web site #2.

    Does anybody know what I can do to fix this issue?

    This is also causing a problem, as my banner stats are not properly
    incremented (the system uses the IP address to determine if the visitor is
    local or not).

    Thanks in advance!
     
    Nicolas Verhaeghe, Aug 12, 2005
    #1
    1. Advertisements

  2. Nicolas Verhaeghe

    Edward Tian Guest

    Dear Nicolas:
    Thank you for posting here!

    From you description, I understand that in IIS6 logs of each website, you
    can only find some private IPs in c-id field instead of the actual public
    IPs. If I have misunderstood, please feel free to let me know.

    Based on my research, there is an expected behavior in regard to ISA Web
    Publishing. It will replace the source IP addresses with its own internal
    IP address which makes IIS log useless.

    The mechanism of ISA Web Publishing looks like a web proxy server, so each
    IP address of the incoming web request will be replaced with the internal
    IP address of ISA server.

    ISA Server Publishing can workaround this issue. Based on my experience,
    there is no specific security issue using Server publishing to publish a
    web server. However, you may not be able to use some particular features
    that are designed for ISA Web Publishing, such as web filters.

    If you want to get the c-ip information of the external visitors, you can
    refer to ISA web proxy logs for your analysis. To configure ISA logging,
    please refer to the following Knowledge Base article:

    302372 HOW TO: Configure Logging in Internet Security and Acceleration
    Server

    http://support.microsoft.com/?id=302372

    In addition, if the above scenario is not similar to yours, would you
    please help me confirm the following information for analysis?
    1. Does this issue occur on all internal IIS server? It appears that no IIS
    site is installed on ISA server, right?

    2. You mentioned "I am in a situation where each Web site has its own
    private and public IP", can I assume that the "public IP" is the Firewall's
    external IP, or these web servers are directly connecting to Internet?

    3. Please send me the corresponding IIS logs for analysis.

    4. Could you tell me why you think "ISA seems to be forcing the visitors IP
    (c-id) to Private IP #1 for Web site#1 and Private IP #2 for Web site #2."?

    5. Could you tell the network topology of your network?

    If you have any further concerns, please feel free to let me know.
    I look forward to your update. Have a nice day!

    Best Regards
    Edward Tian(MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Nicolas Verhaeghe" <_nospam>
    | Newsgroups:
    microsoft.public.isaserver,microsoft.public.windows.server.sbs,microsoft.pub
    lic.inetserver.iis
    | Subject: Web log issue: ISA server replaces visitor's IPs with local IPs
    on SBS
    | Date: Fri, 12 Aug 2005 10:35:54 -0700
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    | Lines: 27
    | Message-ID: <42fcddfc$0$32206$>
    | Organization: Time-Warner Telecom
    | NNTP-Posting-Date: 12 Aug 2005 17:35:57 GMT
    | NNTP-Posting-Host: ed821275.news.twtelecom.net
    | X-Trace:
    DXC=7De_gffocSGkQo;=iDEbGCC_A=>8kQj6M=_1NR_H?JPMZCK<\iA`XBHP^kcCR2bM8DhEJ`P9
    ok3<CGI0Tm<X9m]F
    | X-Complaints-To:
    | Path:
    TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeeds.sol.net!post
    s.news.twtelecom.net!nnrp2.twtelecom.net!not-for-mail
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:143761
    microsoft.public.inetserver.iis:41537 microsoft.public.isaserver:6009
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I have a fully-loaded SBS 2003 Premium and it seems that all the public
    IPs
    | (c-id field) in the IIS6 logs are replaced with that of the machine.
    |
    | According to the software manufacturer (Weblog Expert), this is due to
    ISA.
    |
    | When I look at the log files, sure enough, c-id is that of the machine.
    |
    | I am in a situation where each Web site has its own private and public IP
    | because of the fact that they each use their own SSL key.
    |
    | My Sonicwall does one-to-one NAT and maps each Web site to its own IP. The
    | NIC has more than one IP address and in IIS6 each Web site is linked to
    its
    | own private IP.
    |
    | ISA seems to be forcing the visitors IP (c-id) to Private IP #1 for Web
    site
    | #1 and Private IP #2 for Web site #2.
    |
    | Does anybody know what I can do to fix this issue?
    |
    | This is also causing a problem, as my banner stats are not properly
    | incremented (the system uses the IP address to determine if the visitor is
    | local or not).
    |
    | Thanks in advance!
    |
    |
    |
    |
     
    Edward Tian, Aug 15, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.