---
locale: "en"
updated_at: "2025-11-04T13:13:59.398Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/configuration/configure-proxy-handling-to-detect-the-real-client-ip"
---

# Configure proxy handling to detect the real client IP

Detect the real client IP behind a proxy.

## Overview

By default, UserLock identifies connections by the source IP address of incoming requests.
If these requests pass through a proxy or gateway, the real client IP can be masked.
To resolve this, UserLock supports the **X-Forwarded-For** HTTP header, commonly used by proxies to forward the original client IP.

This configuration applies to:

- [UserLock IIS Agent](/userlock/docs/guides/deploying-agents/iis-agent) (for web applications such as OWA, RD Web, or SharePoint)
- [UserLock Single Sign-On (SSO)](/userlock/docs/reference/modules/sso)
- [UserLock Anywhere](/userlock/docs/reference/modules/userlock-anywhere)

## Prerequisites

The proxy must be configured to include the[ X-Forwarded-For HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For) header in requests to preserve the original client IP address.

Without this header, UserLock cannot determine the user’s real source IP.

## Procedure

Follow these steps to enable real client IP detection behind a proxy:

1. **Identify the proxy’s IP address.**
This is the address used by the proxy to communicate with the UserLock services (IIS, SSO, or Anywhere).
2. **Open the UserLock console.**
3. Go to ⚙ **Server settings ▸ Advanced Settings ▸ General.**
4. **Add the proxy IP address** to the **IIS proxy list**.
  - You can add multiple IPs if several proxies are used.
5. **Ensure the latest HttpModule is deployed** on all IIS servers.
6. **Verify that the IIS MFA component** is also up to date.

## Result

Once configured, UserLock automatically reads the real client IP address from the **X-Forwarded-For** header and displays it in:

- Session tracking and audit reports
- Active session monitoring
- Connection history and event logs

This helps administrators maintain accurate session visibility and enforce contextual access policies (for example, by IP address or location).
