Configure proxy handling to detect the real client IP
When UserLock is used behind a proxy, reverse proxy, or load balancer, client requests may appear to come from the proxy’s IP address instead of the user’s real public IP. This guide explains how to configure UserLock to correctly detect and record the real client IP address in session tracking and reporting.
By default, UserLock identifies connections by the source IP address of incoming requests.
If these requests pass through a proxy or gateway, the real client IP can be masked.
To resolve this, UserLock supports the X-Forwarded-For HTTP header, commonly used by proxies to forward the original client IP.
This configuration applies to:
UserLock IIS Agent (for web applications such as OWA, RD Web, or SharePoint)
The proxy must be configured to include the X-Forwarded-For HTTP header in requests to preserve the original client IP address.
Without this header, UserLock cannot determine the user’s real source IP.
Follow these steps to enable real client IP detection behind a proxy:
Identify the proxy’s IP address.
This is the address used by the proxy to communicate with the UserLock services (IIS, SSO, or Anywhere).Open the UserLock console.
Go to ⚙️ Server settings ▸ Advanced Settings ▸ General.
Add the proxy IP address to the IIS proxy list.
You can add multiple IPs if several proxies are used.
Ensure the latest HttpModule is deployed on all IIS servers.
Verify that the IIS MFA component is also up to date.
Once configured, UserLock automatically reads the real client IP address from the X-Forwarded-For header and displays it in:
Session tracking and audit reports
Active session monitoring
Connection history and event logs
This helps administrators maintain accurate session visibility and enforce contextual access policies (for example, by IP address or location).