RE: Web log issue: ISA server replaces visitor's IPs with local IPs on SBS

Dear Nicolas:
Thank you for posting here!

>From you description, I understand that in IIS6 logs of each website, you
can only find some private IPs in c-id field instead of the actual public
IPs. If I have misunderstood, please feel free to let me know.

Based on my research, there is an expected behavior in regard to ISA Web
Publishing. It will replace the source IP addresses with its own internal
IP address which makes IIS log useless.

The mechanism of ISA Web Publishing looks like a web proxy server, so each
IP address of the incoming web request will be replaced with the internal
IP address of ISA server.

ISA Server Publishing can workaround this issue. Based on my experience,
there is no specific security issue using Server publishing to publish a
web server. However, you may not be able to use some particular features
that are designed for ISA Web Publishing, such as web filters.

If you want to get the c-ip information of the external visitors, you can
refer to ISA web proxy logs for your analysis. To configure ISA logging,
please refer to the following Knowledge Base article:

302372 HOW TO: Configure Logging in Internet Security and Acceleration
Server

http://support.microsoft.com/?id=302372

In addition, if the above scenario is not similar to yours, would you
please help me confirm the following information for analysis?
1. Does this issue occur on all internal IIS server? It appears that no IIS
site is installed on ISA server, right?

2. You mentioned "I am in a situation where each Web site has its own
private and public IP", can I assume that the "public IP" is the Firewall's
external IP, or these web servers are directly connecting to Internet?

3. Please send me the corresponding IIS logs for analysis.

4. Could you tell me why you think "ISA seems to be forcing the visitors IP
(c-id) to Private IP #1 for Web site#1 and Private IP #2 for Web site #2."?

5. Could you tell the network topology of your network?

If you have any further concerns, please feel free to let me know.
I look forward to your update. Have a nice day!

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Nicolas Verhaeghe" <nospam_nicver@xxxxxxxxxxxxxxxx>
| Newsgroups:
microsoft.public.isaserver,microsoft.public.windows.server.sbs,microsoft.pub
lic.inetserver.iis
| Subject: Web log issue: ISA server replaces visitor's IPs with local IPs
on SBS
| Date: Fri, 12 Aug 2005 10:35:54 -0700
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Lines: 27
| Message-ID: <42fcddfc$0$32206$39cecf19@xxxxxxxxxxxxxxxxxx>
| Organization: Time-Warner Telecom
| NNTP-Posting-Date: 12 Aug 2005 17:35:57 GMT
| NNTP-Posting-Host: ed821275.news.twtelecom.net
| X-Trace:
DXC=7De_gffocSGkQo;=iDEbGCC_A=>8kQj6M=_1NR_H?JPMZCK<\iA`XBHP^kcCR2bM8DhEJ`P9
ok3<CGI0Tm<X9m]F
| X-Complaints-To: abuse@xxxxxxxxxxxxx
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeeds.sol.net!post
s.news.twtelecom.net!nnrp2.twtelecom.net!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:143761
microsoft.public.inetserver.iis:41537 microsoft.public.isaserver:6009
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have a fully-loaded SBS 2003 Premium and it seems that all the public
IPs
| (c-id field) in the IIS6 logs are replaced with that of the machine.
|
| According to the software manufacturer (Weblog Expert), this is due to
ISA.
|
| When I look at the log files, sure enough, c-id is that of the machine.
|
| I am in a situation where each Web site has its own private and public IP
| because of the fact that they each use their own SSL key.
|
| My Sonicwall does one-to-one NAT and maps each Web site to its own IP. The
| NIC has more than one IP address and in IIS6 each Web site is linked to
its
| own private IP.
|
| ISA seems to be forcing the visitors IP (c-id) to Private IP #1 for Web
site
| #1 and Private IP #2 for Web site #2.
|
| Does anybody know what I can do to fix this issue?
|
| This is also causing a problem, as my banner stats are not properly
| incremented (the system uses the IP address to determine if the visitor is
| local or not).
|
| Thanks in advance!
|
|
|
|

.

Relevant Pages