CopyDisable

Monday, 15 August 2011

Netscaler Load Balancer – Forwarding client IP to the IIS 7+ Web Server

Continuing from my previous post on Netscaler Load Balancer-Forwarding client IP to the Apche Web Server" , today I am going to show how we can capture the client’s IP in ISS 7+ web server. The Part 1 of this post is same as the previous post.




Part 1:
Normally the web server receives the Load Balancer’s IP address not the actual client’s IP address. But for web log analysis we need the actual client’s IP address.

For example in one of our website we require the client’s IP address for analysis of the web traffic.



 Explanation of the diagram: The Firewall receives the client’s requests and it NAT the live IP (suppose 220.226.205.251) of the website to the Virtual IP (in our case 172.16.0.164) of the virtual server configured for this website in the load balancer. Now the load balancer receives the requests and forwards the requests to different services registered against the virtual server. While distributing the traffic internally the load balancer uses its Mapped IP. In our case the load balancer has two IPs, one is 172.16.0.250 which is the Load Balancer IP and the other is 172.16.0.251 which is the Mapped IP, and load balancer will use the 172.16.0.251 IP for distributing the traffic. The web servers will get the traffic from the Mapped IP and in web server’s access log we can find only the Mapped IP of the load balancer.


To make the NetScaler load balancer to insert the client IP address in a custom HTTP header, we have to run the following command from the command line interface of the load balancer for all the services we want to send the client’s IP address:



For the website I have configured three servers. Three services are configured for those servers are Oasis_5_80_services, FYJC4_80_service and FYJC5_80_service. So run the commands as shown in the above image and it will enable the load balancer to insert the client’s IP address in the HTTP header for the three services. NS-Client-IP is the header name that is appended to the request. We may specify any name for the header.


2nd Part:

To make the IIS 7+ Web Server to log the client IP address present in the HTTP header we have to follow the following steps:
1) First we have to enable IIS Advanced Logging. Open IIS Advanced Logging





 2) By default, IIS Advanced Logging is disabled. To enable it click Enable Advanced Logging in the Actions pane.

3) Now we are going to add a new Logging field to capture the custom header field NS-Client-IP that will be sent by the load balancer. Click on the Edit Logging Fields link in the Actions pane.
 
4) We are going to add a new field. So click on Add Field button.
 
5) Now I will add the NS-Client-IP field that we want to capture. Source Type is Request Header.
 
 6) Now we can see the new field NS-Client-IP. Click OK to close the Edit Logging Fields window.

 7) Now suppose for our Default Web Site we want to record the Client’s IP address. Open Advanced Logging of the Default Web Site.

8) Click on Add Log Definition


9) Enter a name, suppose TestLog for this example, and click on Select Fields
  

10) Select the fields that we want in the log file. For example we want the Client IP sent by the load balancer, date, local time, URI Querystring, User Agent information in the log file. Click OK to finish the selection.


11) We can see the selected fields. We can change the order of the fields in the log file as per our requirement.


 12) Click Apply to save the changes

  
13) Now we are going to see the log generated by the ISS Advanced Logging. Our log file is generated in the location C:\inetpub\logs\AdvancedLogs\DEFAULT WEB SITE folder. 

The name of the log file is TestLog_D20100618-131413571. 

Let’s see the content of the log file:


#Software: IIS Advanced Logging Module

#Version: 1.0

#Start-Date: 2010-06-18 13:14:13.571

#Fields: NS-Client-IP date-local time-local cs-uri-query cs(User-Agent)

117.200.184.18” 2010-06-18 18:44:13.820 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; MSOffice 12)”

117.200.184.18” 2010-06-18 18:44:14.054 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; MSOffice 12)”

117.254.2.201” 2010-06-18 18:44:15.053 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)”

117.254.2.201” 2010-06-18 18:44:15.053 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)”

212.189.46.155” 2010-06-18 18:44:15.318 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

212.189.46.155” 2010-06-18 18:44:15.505 seatNo=e031839&centerCode=&ip=10.10.10.251 “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

117.200.216.19” 2010-06-18 18:44:17.252 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

59.95.16.183” 2010-06-18 18:44:18.953 seatNo=f015435&centerCode=&ip=10.10.10.251 “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

117.200.184.18” 2010-06-18 18:44:19.857 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; MSOffice 12)”

61.17.161.224” 2010-06-18 18:44:23.555 – “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB7.0″

61.17.161.224” 2010-06-18 18:44:23.555 – “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB7.0″

212.189.46.155” 2010-06-18 18:44:24.272 – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”



Hooooooorrrrrrrrreeeeeyyyyyyyyyy……………we can see the client’s live IP in the log file.





জয় আই অসম,
প্রণব শর্মা