X-Forwarded-For is used for geolocation services, advanced logging, or compliance requirements. Use XFF to track a client IP address through a proxy chain to a webserver or an upstream proxy server.
Are you looking to add X-Forwarded-For functionality to your Forefront Threat Management
Gateway, IIS Web Server or ISA Server proxy infrastructure like you can with Squid,
Apache, F5 Big-IP, Blue Coat, Cisco Cache Engine, Netcache etc? Now you can! Winfrasoft
X-Forwarded-For for TMG, ISA Server and IIS adds the ability to track and log the
source IP address of a client PC through a forward or reverse proxy server chain
to the web server.
This is ideal for log analysis when branch offices connect to the Internet via a
head office proxy server, and when the real client IP address is required on a web
server for accurate reporting and analysis.
IS Web Server logging: X-Forwarded-For for IIS logs the REAL client
IP address in the IIS
log "c-ip" field based on X-Forwarded-For header information. It uses a Proxy Trust
List to ensure that spoofed header information is dropped and only valid IP's are
logged. It can also be configured to log the entire X-Forwarded-For header together
with the layer 4 routed source IP address to record the complete proxy chain.
Making forward proxy requests from TMG / ISA Server: X-Forwarded-For
for TMG / ISA Server adds the X-Forwarded-For field to the HTTP header of web requests
leaving the proxy server. The new field contains the IP address of the original
web browser client PC.
Receiving forward proxy requests into TMG / ISA Server: If the
TMG / ISA Server receives a proxy request which contains the X-Forwarded-For field
in the HTTP header, the filter will log the XFF IP as the client IP address instead
of the IP address of the requesting proxy server. The IP address of the requesting
proxy server is not lost, it is added to the Filter Information field in the proxy
server logs. If it is the last proxy in a forward proxy chain the header is removed
by default for security. In a reverse proxy scenario the header is forwarded on
to the published web server for processing.
Security: In a forward proxy scenario, if the TMG / ISA Server
is not configured with a web chaining rule it will not add the X-Forwarded-For header,
this helps to prevent your internal server IP's being revealed to the Internet.
NB: You should never trust X-Forward-For header information that originates from
outside of your organisation as the field is not signed or authenticated. Use the
Proxy Trust List on the IIS web server to prevent X-Forwarded-For spoofing.
Note: X-Forwarded-For for TMG, ISA Server and IIS uses the same HTTP field format
as other vendor implementations of this technology and should be compatible with
other proxy server solutions, although this has not been tested.
X-Forwarded-For for TMG Minimum Server System Requirements:
- Windows Server 2008 R2
- TMG 2010 Standard Edition or Enterprise Edition
X-Forwarded-For for ISA Server Minimum Server System Requirements:
- Windows Server 2003
- ISA Server 2004 Standard Edition or Enterprise Edition or
- ISA Server 2006 Standard Edition or Enterprise Edition
X-Forwarded-For for IIS Minimum Server System Requirements:
- Native x86 and x64 support
- Windows Server 2003 with IIS 6.0 or
- Windows Server 2008 with IIS 7.0
- Windows Server 2008 R2 with IIS 7.5
- X-Forwarded-For for TMG is compatible with multi-lingual versions of Windows Server
2008 R2 and TMG 2010, however is only available in English.
- X-Forwarded-For for ISA Server is compatible with multi-lingual versions of Windows
Server 2003 and ISA Server, however is only available in English. (Tested on English
and Spanish editions)
- X-Forwarded-For for IIS is compatible with multi-lingual versions of Windows, however
is only available in English. (Tested on English, Dutch and Spanish editions)
Product support and documentation is only available in English.
X-Forwarded-For for TMG supports:
- Forward & Reverse proxy
- Forefront TMG 2010
- 64bit high throughput
- Standard & Enterprise Editions
- HTTP and HTTPS
- Unlimited servers in chain
- Hardware Load-balancers
- Transparent network sniffers
Easy to use
- TMG web filter
- No customization required
- Integration with Winfrasoft X-Forwarded-For for IIS & ISA
Compliance and security
- View logs in TMG Logging tab
- Prevent internal IP addresses from reaching the Internet