X-Forwarded-For is used for geolocation services, advanced logging, or compliance requirements. Use XFF to track a client IP address through a proxy chain to a webserver or an upstream proxy server.

Are you looking to add X-Forwarded-For functionality to your Forefront Threat Management Gateway, IIS Web Server or ISA Server proxy infrastructure like you can with Squid, Apache, F5 Big-IP, Blue Coat, Cisco Cache Engine, Netcache etc? Now you can! Winfrasoft X-Forwarded-For for TMG, ISA Server and IIS adds the ability to track and log the source IP address of a client PC through a forward or reverse proxy server chain to the web server.

This is ideal for log analysis when branch offices connect to the Internet via a head office proxy server, and when the real client IP address is required on a web server for accurate reporting and analysis.

IS Web Server logging: X-Forwarded-For for IIS logs the REAL client IP address in the IIS
log "c-ip" field based on X-Forwarded-For header information. It uses a Proxy Trust List to ensure that spoofed header information is dropped and only valid IP's are logged. It can also be configured to log the entire X-Forwarded-For header together with the layer 4 routed source IP address to record the complete proxy chain.

Making forward proxy requests from TMG / ISA Server: X-Forwarded-For for TMG / ISA Server adds the X-Forwarded-For field to the HTTP header of web requests leaving the proxy server. The new field contains the IP address of the original web browser client PC.

Receiving forward proxy requests into TMG / ISA Server: If the TMG / ISA Server receives a proxy request which contains the X-Forwarded-For field in the HTTP header, the filter will log the XFF IP as the client IP address instead of the IP address of the requesting proxy server. The IP address of the requesting proxy server is not lost, it is added to the Filter Information field in the proxy server logs. If it is the last proxy in a forward proxy chain the header is removed by default for security. In a reverse proxy scenario the header is forwarded on to the published web server for processing.

Security: In a forward proxy scenario, if the TMG / ISA Server is not configured with a web chaining rule it will not add the X-Forwarded-For header, this helps to prevent your internal server IP's being revealed to the Internet. NB: You should never trust X-Forward-For header information that originates from outside of your organisation as the field is not signed or authenticated. Use the Proxy Trust List on the IIS web server to prevent X-Forwarded-For spoofing.

Note: X-Forwarded-For for TMG, ISA Server and IIS uses the same HTTP field format as other vendor implementations of this technology and should be compatible with other proxy server solutions, although this has not been tested.

X-Forwarded-For for TMG Minimum Server System Requirements:

  • Windows Server 2008 R2
  • TMG 2010 Standard Edition or Enterprise Edition

X-Forwarded-For for ISA Server Minimum Server System Requirements:

  • Windows Server 2003
  • ISA Server 2004 Standard Edition or Enterprise Edition or
  • ISA Server 2006 Standard Edition or Enterprise Edition

X-Forwarded-For for IIS Minimum Server System Requirements:

  • Native x86 and x64 support
  • Windows Server 2003 with IIS 6.0 or
  • Windows Server 2008 with IIS 7.0
  • Windows Server 2008 R2 with IIS 7.5

Languages:

  • X-Forwarded-For for TMG is compatible with multi-lingual versions of Windows Server 2008 R2 and TMG 2010, however is only available in English.
  • X-Forwarded-For for ISA Server is compatible with multi-lingual versions of Windows Server 2003 and ISA Server, however is only available in English. (Tested on English and Spanish editions)
  • X-Forwarded-For for IIS is compatible with multi-lingual versions of Windows, however is only available in English. (Tested on English, Dutch and Spanish editions)

Product support and documentation is only available in English.

X-Forwarded-For for TMG supports:

  • Forward & Reverse proxy
  • Forefront TMG 2010
  • 64bit high throughput
  • Standard & Enterprise Editions
  • HTTP and HTTPS
  • Unlimited servers in chain
  • Hardware Load-balancers
  • Transparent network sniffers

Easy to use

  • TMG web filter
  • No customization required
  • Integration with Winfrasoft X-Forwarded-For for IIS & ISA

Compliance and security

  • View logs in TMG Logging tab
  • Prevent internal IP addresses from reaching the Internet

Winfrasoft Customers: