+2 votes

I have deployed Adaxes on an internal network and use a Microsoft AD FS Web Application Proxy to publish the web interface to external networks. After reviewing the Logging in the Adaxes Administration Console, I noticed that the IP address of the Web Application Proxy is captured instead of the real client IP address.

As a result, log entries always take the following form:

Sign in to Web Interface Common Sign In from <IP address of AD FS WAP>

The Installation Guide documents using an "application delivery controller" to make the Web Interface accessible from outside the local network.

I have verified that the AD FS Web Application Proxy is correctly setting the X-Forwarded-For HTTP header, and that IIS is able to capture the X-Forwarded-For header with custom logging after referenceing this Microsoft Tech Community article.

Is it possible to configure Adaxes to log the external IP address?

by (40 points)

1 Answer

0 votes
by (270k points)

Hello,

Unfortunately, there is no such possibility.

0

Thank you for the quick answer.

Accurate logging is important for security, compliance, and troubleshooting. The Installation Guide is misleading since it states the following as supported:

If you do not want to install a read-only domain controller and Adaxes Web Interface in the DMZ, but still need to make Web Interface accessible from outside, you can use an application delivery controller (e.g. Citrix NetScaler, Nginx, CloudFare, etc.). For example, the controller can be placed in the DMZ to accept requests from outside and pass them to the Adaxes Web Interface installed in your local network.

Could you please:

  1. Consider this question a feature request for accurate logging
  2. Update the Installation Guide with a warning in the above excerpt so that people will be aware of the logging inaccuracy if they choose that deployment topology
0

Hello,

Thank you for the suggestions, we will consider them.

0

Was this ever implemented?

A common implementation is to only support/trust the header from certain IP addresses (the trusted reverse proxies).

Unfortunately, this feature is needed for any higher security environment using reverse proxy layer-7 web application firewalls, something particularly important to use when using sensitive systems like Adaxes.

–1

Hello,

Unfortunately, the feature is not available in the latest version of Adaxes. However, we are considering it for future releases.

Related questions

0 votes
1 answer

I would like to be able to build a workflow whereby, after creating a user, a business rule will check certain user attributes/group memberships etc and then, if required, ... ways that this could be achieved to make a 'joined up' process? Thanks, Bernie

asked Aug 24, 2019 by Bernie (310 points)
0 votes
1 answer

Hello, Is it possible to capture properties of a user before and after it is changed and put both entries in an email? For example: Joe User has his title ... that user with the previous title (Accounting Clerk) and the new title (Accounting Supervisor)?

asked Mar 9, 2020 by sgordon213 (110 points)
0 votes
1 answer

I would like to delete users that have been disabled for more then X number of days. This would be a phase of our deprovisioning process. The user is first disabled and placed ... we are sure that we no longer need it, I would like to automaticially delete it.

asked Oct 13, 2022 by rmedeiros (380 points)
0 votes
1 answer

Hi, we currenlty have a business rule to send an email everytime the Title, Manager, Department, accountExpires, EmployeeType or FirstName attributes are ... Unit: %BusinessUnit% End Date: %accountExpires% Effective Date of Change: %adm-CustomAttributeDate2%

asked Feb 14 by KevC (60 points)
0 votes
1 answer

Adaxes support, Is there a way to disable the red x icon in the search results window on a user account. This icon appears by defualt when we disable an account but ... allows is to enable the users picture. Can this be accomplished in the xml config files?

asked Aug 22, 2013 by rjthompson (80 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users