June 2016 hotfix for Microsoft Application Request Routing 3.0

Symptoms
Issue 1

When you use the Microsoft Application Request Routing (ARR) Helper module in conjunction with the X-Forwarded-For: header, an incorrect client IP address is generated on the request object for the web farm worker.

Issue 2

Consider the following scenario:
  • A web farm is configured to forward requests to workers by using HTTPS.
  • ARR uses the SecureConnectionIgnoreFlags registry value.
  • he web farm is configured to perform health checks.
In this scenario, the health check requests fail.

Issue 3

If a web farm is configured to forward requests to workers by using HTTPS, ARR provides no way to validate that the web farm worker returns a specific server certificate.  
Cause
These issues occur because of an issue in ARR.
Download information
The following file is available for download from the Microsoft Download Center:

DownloadDownload the ARR 3.0 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this hotfix, you must have Application Request Routing 3.0 (3.0.1750 or a later version) installed.  

Restart requirements

You may have to restart the server after you apply this hotfix.

Hotfix replacement information

This hotfix doesn't replace any previously released hotfix.

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.

For all supported x86-based versions of Application Request Routing 3.0
File nameFile versionFile sizeDateTimePlatform
requestRouter.dll 7.1.1965.0310,51205-16-201621:50x86
Microsoft.Web.Management.Arr.Client.dll7.1.1965.0379,63205-16-201621:51msil
Microsoft.Web.Management.Arr.dll7.1.1965.0109,29605-16-201621:51msil

For all supported x64-based versions of Application Request Routing 3.0
File nameFile versionFile sizeDateTimePlatform
requestRouter.dll 7.1.1965.0326,89605-16-201621:50x64
Microsoft.Web.Management.Arr.Client.dll7.1.1965.0379,63205-16-201621:51msil
Microsoft.Web.Management.Arr.dll7.1.1965.0109,29605-16-201621:51msil
Status
Microsoft has confirmed that this is an update in the Microsoft products that are listed in the "Applies to" section.
More information
After you install this hotfix, the following fixes are made.

Issue 1

This hotfix adds the trustImmediateProxy attribute to the Application Request Routing Helper module configuration settings. TrustImmediateProxy controls whether the server from which the request was received should be automatically added to the trustedProxies list. If it's not otherwise specified, trustImmediateProxy is set to "false."

After you apply this hotfix, the default for the trustUnlisted attribute is changed from "true" to "false."

Sample configuration:
<proxyHelper>  <trustedProxies trustUnlisted="false" trustImmediateProxy="true">  <add ipAddress="1.1.1.1" />  <add ipAddress="2.2.2.2" />  </trustedProxies></proxyHelper>
Issue 2

After you apply this hotfix, Application Request Routing health checks use the SecureConnectionIgnoreFlags setting.

Issue 3

After you apply this hotfix, Application Request Routing supports configuration of a per-web farm collection of SSL server certificate public keys, with optional Algorithm OID strings. This validates the server certificates that are received from web farm workers.

Sample configuration:

<webFarms>  <webFarm name="MyServerFarm">  <server address="first.backend.com" enabled="true" />  <server address="second.backend.com" enabled="true" />  <applicationRequestRouting>  <publicKeys>  <publicKey bytes="112233445566778899AABBCCDDEEFF" algorithmOid="1.2.840.113549.1.1.11" />  <publicKey bytes="AABBCCDDEEFF112233445566778899" />  </publicKeys>  </applicationRequestRouting>  </webFarm></webFarms>
Notes
  • The bytes field is the hex representation of the public key blob of the server certificate, without spaces.
  • AlgorithmOid is the string representation of the Algorithm OID. In the preceding example, 1.2.840.113549.1.1.11 corresponds to SHA256. The algorithmOid is optional. If it's not specified, any algorithm OID is acceptable.
References
Learn about the terminology that Microsoft uses to describe software updates.
Properties

Article ID: 3162949 - Last Review: 06/06/2016 16:53:00 - Revision: 2.0

Microsoft Internet Information Services 10.0, Microsoft Internet Information Services 8.5, Microsoft Internet Information Services 8.0, Microsoft Internet Information Services 7.5, Microsoft Internet Information Services 7.0

  • kbsurveynew kbfix kbexpertiseinter atdownload KB3162949
Feedback