Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Issue 1

When you use the Microsoft Application Request Routing (ARR) Helper module in conjunction with the X-Forwarded-For: header, an incorrect client IP address is generated on the request object for the web farm worker.

Issue 2

Consider the following scenario:

  • A web farm is configured to forward requests to workers by using HTTPS.

  • ARR uses the SecureConnectionIgnoreFlags registry value.

  • he web farm is configured to perform health checks.

In this scenario, the health check requests fail.

Issue 3

If a web farm is configured to forward requests to workers by using HTTPS, ARR provides no way to validate that the web farm worker returns a specific server certificate.  

Cause

These issues occur because of an issue in ARR.

Download information

The following file is available for download from the Microsoft Download Center:

DownloadDownload the ARR 3.0 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this hotfix, you must have Application Request Routing 3.0 (3.0.1750 or a later version) installed.  

Restart requirements

You may have to restart the server after you apply this hotfix.

Hotfix replacement information

This hotfix doesn't replace any previously released hotfix.

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.

For all supported x86-based versions of Application Request Routing 3.0

File name

File version

File size

Date

Time

Platform

requestRouter.dll

7.1.1965.0

310,512

05-16-2016

21:50

x86

Microsoft.Web.Management.Arr.Client.dll

7.1.1965.0

379,632

05-16-2016

21:51

msil

Microsoft.Web.Management.Arr.dll

7.1.1965.0

109,296

05-16-2016

21:51

msil


For all supported x64-based versions of Application Request Routing 3.0

File name

File version

File size

Date

Time

Platform

requestRouter.dll

7.1.1965.0

326,896

05-16-2016

21:50

x64

Microsoft.Web.Management.Arr.Client.dll

7.1.1965.0

379,632

05-16-2016

21:51

msil

Microsoft.Web.Management.Arr.dll

7.1.1965.0

109,296

05-16-2016

21:51

msil

Status

Microsoft has confirmed that this is an update in the Microsoft products that are listed in the "Applies to" section.

More Information

After you install this hotfix, the following fixes are made.

Issue 1

This hotfix adds the trustImmediateProxy attribute to the Application Request Routing Helper module configuration settings. TrustImmediateProxy controls whether the server from which the request was received should be automatically added to the trustedProxies list. If it's not otherwise specified, trustImmediateProxy is set to "false."

After you apply this hotfix, the default for the trustUnlisted attribute is changed from "true" to "false."

Sample configuration:
<proxyHelper>
<trustedProxies trustUnlisted="false" trustImmediateProxy="true">
<add ipAddress="1.1.1.1" />
<add ipAddress="2.2.2.2" />
</trustedProxies>
</proxyHelper> Issue 2

After you apply this hotfix, Application Request Routing health checks use the SecureConnectionIgnoreFlags setting.

Issue 3

After you apply this hotfix, Application Request Routing supports configuration of a per-web farm collection of SSL server certificate public keys, with optional Algorithm OID strings. This validates the server certificates that are received from web farm workers.

Sample configuration:

<webFarms>
<webFarm name="MyServerFarm">
<server address="first.backend.com" enabled="true" />
<server address="second.backend.com" enabled="true" />
<applicationRequestRouting>
<publicKeys>
<publicKey bytes="112233445566778899AABBCCDDEEFF" algorithmOid="1.2.840.113549.1.1.11" />
<publicKey bytes="AABBCCDDEEFF112233445566778899" />
</publicKeys>
</applicationRequestRouting>
</webFarm>
</webFarms> Notes

  • The bytes field is the hex representation of the public key blob of the server certificate, without spaces.

  • AlgorithmOid is the string representation of the Algorithm OID. In the preceding example, 1.2.840.113549.1.1.11 corresponds to SHA256. The algorithmOid is optional. If it's not specified, any algorithm OID is acceptable.

References

Learn about the terminology that Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×