I was recently approached by one of our customers, in search for information about the "Bind the source IP to the session" setting which appears on the Session tab of the Advanced Trunk Configuration window.
What does it not do?
In order to avoid possible confusion, let's begin by stating what this option does not do: it does not create any binding or association between a client's source IP address (as it appears in TCP packets sent from the client machine to UAG), and the UAG session. As a matter of fact, this feature has nothing to do with the "external" side of the UAG, meaning with the traffic between UAG and its clients.
So what is "Bind the source IP address to the session" used for?
As you are probably very well aware, as a reverse-proxy UAG splits connectivity between clients and backend servers into two separate connections - the TCP connection between a client and the UAG server; and the TCP connection between the UAG server and the backend application servers. The "Bind the source IP to the session" option affects only the internal side of a UAG server, meaning the TCP connection established by UAG to backend Web applications published through UAG. Note that this setting applies only to HTTP/S traffic sent from UAG to Web applications. It is not applicable for any other protocol (tunneled or otherwise) sent through and by UAG.
You enable the "Bind the source IP address to the session" setting to specify which specific IP address UAG should use as the source IP address for each specific session, when creating a new TCP connection to one of the backend Web application servers. The IP address should be one of the addresses defined on the internal NIC of the UAG server. If this setting is not enabled, all TCP connections will have the same source IP address, which is the primary IP address defined for the UAG internal adapter.
How do I configure this setting?
Configuration is a combination of two settings, which can be applied in any order:
1. Obviously, you need to enable the setting in the UAG Management console, and activate the configuration
2. You need to create a UAG hook file which contains a piece of VBScript that specifies (according to whatever logic you wish to implement), which IP address should be used for that specific UAG session. This file is invoked, and the VBScript executed, once per each session, during the session authentication process. The file should be placed in the .\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder, with the following naming convention: [Trunk Name][0 for HTTP trunk or 1 for HTTPS trunk]PostPostValidate.inc . For example, if you want to use this feature on an HTTPS trunk named Contoso, the file name should be Contoso1PostPostValidate.inc .
A sample script
The function that sets the source IP address to be used by UAG for TCP connections to backend Web applications, for the duration of the UAG session, is:
SetSessionParam g_cookie, "SessionSourceIP", "nnn.nnn.nnn.nnn"
Based on this, a very basic example of a script that specifies which source IP address should be used, based on user name, would look something like this:
A few troubleshooting tips
· Remember that this feature applies only to traffic between the UAG server and Web applications on the backend.
· Remember that the IP addresses specified in this script must be actual IP addresses defined on the internal NIC of the UAG server.
· If you enable the feature in the UAG Management console without creating the relevant script file, or using incorrect script syntax, or specifying an IP address that is not defined on the internal NIC, the following occurs:
o End users will receive an error page in their browser as follows: "You cannot access this site because a source IP address cannot be bound."
o The UAG Web Monitor displays one of the following errors:
§ Error ID 109: Failed to Get Session IP Address - The SessionSourceIP value cannot be retrieved. (This error usually indicates that your script is missing, or its syntax is incorrect)
§ Error ID 110: Session Source IP Address Invalid - The SessionSourceIP value cannot be used. The "<value specified in the script>" value is not a valid IP address.
§ Error ID 111: Failed to Bind SessionSourceIP - The SessionSourceIP value cannot be bound using the IP address <value specified in the script>. The error code is <error code> and the error message is <error message>.
Ran Dolev | Senior CSS Engineer | Microsoft Unified Access Gateway Team
Rayne Wiselman | Forefront UAG User Assistance Team