Symptoms
Issue 1
When you use the Microsoft Application Request Routing (ARR) Helper module in conjunction with the X-Forwarded-For:Â header, an incorrect client IP address is generated on the request object for the web farm worker.
Issue 2
Consider the following scenario:
-
A web farm is configured to forward requests to workers by using HTTPS.
-
ARR uses the SecureConnectionIgnoreFlags registry value.
-
he web farm is configured to perform health checks.
In this scenario, the health check requests fail.
Issue 3
If a web farm is configured to forward requests to workers by using HTTPS, ARR provides no way to validate that the web farm worker returns a specific server certificate. Â
Cause
These issues occur because of an issue in ARR.
Download information
The following file is available for download from the Microsoft Download Center:
Download the ARR 3.0 package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Prerequisites
To apply this hotfix, you must have Application Request Routing 3.0 (3.0.1750 or a later version) installed. Â
Restart requirements
You may have to restart the server after you apply this hotfix.
Hotfix replacement information
This hotfix doesn't replace any previously released hotfix.
File information
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.
For all supported x86-based versions of Application Request Routing 3.0
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
requestRouter.dll |
7.1.1965.0 |
310,512 |
05-16-2016 |
21:50 |
x86 |
Microsoft.Web.Management.Arr.Client.dll |
7.1.1965.0 |
379,632 |
05-16-2016 |
21:51 |
msil |
Microsoft.Web.Management.Arr.dll |
7.1.1965.0 |
109,296 |
05-16-2016 |
21:51 |
msil |
For all supported x64-based versions of Application Request Routing 3.0
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
requestRouter.dll |
7.1.1965.0 |
326,896 |
05-16-2016 |
21:50 |
x64 |
Microsoft.Web.Management.Arr.Client.dll |
7.1.1965.0 |
379,632 |
05-16-2016 |
21:51 |
msil |
Microsoft.Web.Management.Arr.dll |
7.1.1965.0 |
109,296 |
05-16-2016 |
21:51 |
msil |
Status
Microsoft has confirmed that this is an update in the Microsoft products that are listed in the "Applies to" section.
More Information
After you install this hotfix, the following fixes are made.
Issue 1
This hotfix adds the trustImmediateProxy attribute to the Application Request Routing Helper module configuration settings. TrustImmediateProxy controls whether the server from which the request was received should be automatically added to the trustedProxies list. If it's not otherwise specified, trustImmediateProxy is set to "false."
After you apply this hotfix, the default for the trustUnlisted attribute is changed from "true" to "false."
Sample configuration:
<proxyHelper>
<trustedProxies trustUnlisted="false" trustImmediateProxy="true">
<add ipAddress="1.1.1.1" />
<add ipAddress="2.2.2.2" />
</trustedProxies>
</proxyHelper> Issue 2
After you apply this hotfix, Application Request Routing health checks use the SecureConnectionIgnoreFlags setting.
Issue 3
After you apply this hotfix, Application Request Routing supports configuration of a per-web farm collection of SSL server certificate public keys, with optional Algorithm OID strings. This validates the server certificates that are received from web farm workers.
Sample configuration:
<webFarms>
<webFarm name="MyServerFarm">
<server address="first.backend.com" enabled="true" />
<server address="second.backend.com" enabled="true" />
<applicationRequestRouting>
<publicKeys>
<publicKey bytes="112233445566778899AABBCCDDEEFF" algorithmOid="1.2.840.113549.1.1.11" />
<publicKey bytes="AABBCCDDEEFF112233445566778899" />
</publicKeys>
</applicationRequestRouting>
</webFarm>
</webFarms> Notes
-
The bytes field is the hex representation of the public key blob of the server certificate, without spaces.
-
AlgorithmOid is the string representation of the Algorithm OID. In the preceding example, 1.2.840.113549.1.1.11 corresponds to SHA256. The algorithmOid is optional. If it's not specified, any algorithm OID is acceptable.
References
Learn about the terminology that Microsoft uses to describe software updates.