1

We have Citrix Secure Gateway installed on a Windows Server 2008 R2 server with the Citrix login page hosted in IIS on the same server. The CSG handles incoming HTTP and HTTPS connections on ports 80 and 443 and relays them to IIS, which is listening on a different port (using HTTP only, not HTTPS). This means that IIS sees all incoming connections as local connections, with the source IP address being the server's own IP address.

This causes a couple of problems. It makes it impossible to see the source IP address in IIS logs, and causes IIS to display detailed HTTP error messages to all clients, including external ones.

We can mitigate the second problem by turning detailed error messages off, but the ideal solution would be for IIS to see the actual source IP address rather than the server's own address. Is this possible, and if so, how?

toryan
  • 231
  • 3
  • 6
  • 17

1 Answers1

1

Assuming you are running at least Web Interface 5.x, you can configure it to see the real IP address of the client connecting through the gateway.

Locate the following section in $SITEROOT/Citrix/XenApp/app_code/PagesJava/com/citrix/wi/pageutils/Include.java:

/**
     * Returns the IP address of the client
     *
     * @return the client IP address as a string
     */
    public static String getClientAddress(WIContext wiContext) {       
    String ageClientAddress = AGEUtilities.getAGEClientIPAddress(wiContext);       
    return (ageClientAddress != null
                    ? ageClientAddress                   
: wiContext.getWebAbstraction().getUserHostAddress());
    }

Replace this entire section with the following:

/**
     * Returns the IP address of the client.
     *
     * @return the client IP address as a string
     */
    public static String getClientAddress(WIContext wiContext) {
        WebAbstraction web = wiContext.getWebAbstraction();
        String gatewayAddress = "127.0.0.1"; // change as appropriate if Gateway is on another server
        boolean comingFromGateway = web.getUserHostAddress().equals(gatewayAddress);
        String forwardedAddress = web.getRequestHeader("X-Forwarded-For");
        String ageClientAddress = AGEUtilities.getAGEClientIPAddress(wiContext);
        if (ageClientAddress != null) {
            return ageClientAddress;
        } else if (comingFromGateway && (forwardedAddress != null)) {
            return forwardedAddress;
        } else {
            return web.getUserHostAddress();
        }
    }
Rex
  • 7,815
  • 3
  • 28
  • 44
  • Thanks for the answer. Unfortunately, the traffic goes through a load balancer before hitting the CSG so there is no usable X-Forwarded-For header. I'll keep this in mind for future reference though. – toryan Apr 24 '15 at 12:03
  • Can you check if your load balancer supports adding arbitrary HTTP headers? – StackzOfZtuff Apr 28 '15 at 14:41