Skip to main content

Use X-Forwarded-For (XFF) with URL Rewrite Module


Many customers deploy SecureAuth IdP Appliances behind a load balancer (LB) to provide high available and performant operation of the product. Unfortunately, any connection through the LB reveals only the source IP address of the LB which severely limits the usefulness of the URL Rewrite and logging functionalities of IIS.

To address this issue, most LB products include support for sending the X-Forwarded-For (XFF) HTTP header. When enabled on a device which supports it, the IP address of the requesting client is included in the XFF header and passed to the SecureAuth IdP Appliance.

With a few minor configuration changes to IIS, the XFF information can be logged for auditing purposes and used to build URL Rewrite rules.


1. Ensure the following items are installed and running before configuring URL Rewrite

  • SecureAuth IdP Version 9.x+

  • Windows Server 2012 R2

2. Ensure URL Rewrite extension is installed on the Windows server


Note that IP and Domain Restrictions in IIS take precedence over URL Rewrite

When configuring the Windows server to use the URL Rewrite add-on, set the feature settings under IP and Domain Restrictions to Allow

Configuration Steps to Add X-Forwarded-For (XFF) HTTP Header to IIS Logs

These instructions explain how to add the X-Forwarded-For (XFF) HTTP header to the IIS logs of a SecureAuth IdP Appliance


Before following the instructions below, ensure the load balancer is configured to pass the X-Forwarded-For (XFF) HTTP header to the SecureAuth IdP Appliances


1. From the Start screen, click Control Panel

2. Click System and Security and then Administrative Tools

3. On the Administrative Tools window, double-click Internet Information Services (IIS) Manager

4. On the connections pane, select Default Web Site and double-click Logging on the Default Web Site Home pane



5. On the Logging pane, click Select Fields...

W3C Logging Fields


6. On the W3C Logging Fields dialog, click Add Field...


7. On the Add Custom Field dialog, set the Log Field name value to XFF

8. Set the Source Type value to Request Header

9. Set the Source value to X-FORWARDED-FOR

10. Click OK and then OK again to dismiss the custom field dialog


11. On the Actions pane in the upper right of the screen, click Apply to confirm the changes


The log files now show "_x" appended at the end of the filename (e.g. u_ex161115_x) which indicates a custom field has been added to the log file format

Configuration Steps for URL Rewrite to Use X-Forwarded-For (XFF) HTTP Header in Load Balanced Environment

These instructions explain how to configure a URL Rewrite rule to use the X-Forwarded-For (XFF) HTTP header in a load balanced environment

The most common use case for the URL Rewrite in a SecureAuth IdP workflow is to route users between an internal and external realm based on IP

Edit Inbound Rule


1. In the IIS window, select the SecureAuth IdP realm from the tree view pane

2. On the target pane, double-click the URL Rewrite icon

URL Rewrite - Edit Inbound Rule


3. On the Edit Inbound Rule panel, in the Conditions section, note the defined conditions

Normally, the execution of URL Rewrite requires defining a condition with pattern matching and the REMOTE_ADDR Condition Input

However, in a Load Balanced environment, the REMOTE_ADDR is always the IP of the load balancer, so this rule does not execute as expected


4. To resolve this issue, change the Condition Input of the rule from REMOTE_ADDR to HTTP_X_Forwarded_For

This edit instructs the URL Rewrite module to use the requesting client's IP in the X-Forwarded-For (XFF) HTTP header instead of the load balancer's IP

The rule should then behave as expected


Refer to SecureAuth and High Availability for information about Web service load balancing options