How can I force outgoing ip for specific applications? ForceBindIp doesn't seem to work

Question

I have a dedicated windows 2012 server with 12 dedicated IPs.

I want to be able to make connections simultaneously from two different ips that I choose.

This will be used for two different browser applications.

I have tried the following:

ForceBindIP %IP_ADDRESS% %APP_EXE%

But the IP doesn't change, the browser always displays the lowest IP from my added range.

I have also experimented with a script that removes all the ips, and then just adds one.

netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0

This changes the address BUT I end up having only one IP for both applications.

Answer 1

If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).

For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).

Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).

Basically what you need to do is:

• install Squid
• add ACL for loopback IP mapping, such as:

---

      acl IP110 src 127.0.0.1/32
      acl IP111 src 127.0.0.2/32
  [...]

      tcp_outgoing_address 104.251.111.110 IP110
      tcp_outgoing_address 104.251.111.111 IP111
  [...]

---

• And the default, which is just formally needed:

---

  tcp_outgoing_address 104.251.111.110

---

Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:

• for outgoing connection using IP .111, use proxy on 127.0.0.2
• for outgoing connection using IP .110, use proxy on 127.0.0.1
• .. and so on.

Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.

This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.

Answer 2

It looks like you're searching for a fix involving little rework of the browser applications. Assuming that you're using IIS to serve the applications, you should:

• Using File Explorer or command line, soft-link the application configuration in another root folder for each instance of the browser application.
• Using IIS, recreate the application as a site for each of the above browser application folders.
• Using IIS, bind each instance of the browser application to the IP address you wish to serve it with.

Caveat: It's tempting to use the same app pool for all instances, but evaluate your hardware before! Remember that (depending on the application requirements) you create a single point of failure when using a single app pool. Create separate app pools with identical parameters to reduce this risk.