Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

June 2016 hotfix for Microsoft Application Request Routing 3.0

View products that this article applies to.


Issue 1

When you use the Microsoft Application Request Routing (ARR) Helper module in conjunction with the X-Forwarded-For: header, an incorrect client IP address is generated on the request object for the web farm worker.

Issue 2

Consider the following scenario:
  • A web farm is configured to forward requests to workers by using HTTPS.
  • ARR uses the SecureConnectionIgnoreFlags registry value.
  • he web farm is configured to perform health checks.
In this scenario, the health check requests fail.

Issue 3

If a web farm is configured to forward requests to workers by using HTTPS, ARR provides no way to validate that the web farm worker returns a specific server certificate.  

↑ Back to the top


These issues occur because of an issue in ARR.

↑ Back to the top

Download information

The following file is available for download from the Microsoft Download Center:

Download Download the ARR 3.0 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.


To apply this hotfix, you must have Application Request Routing 3.0 (3.0.1750 or a later version) installed.  

Restart requirements

You may have to restart the server after you apply this hotfix.

Hotfix replacement information

This hotfix doesn't replace any previously released hotfix.

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.

For all supported x86-based versions of Application Request Routing 3.0
File nameFile versionFile sizeDateTimePlatform
requestRouter.dll 7.1.1965.0310,51205-16-201621:50x86

For all supported x64-based versions of Application Request Routing 3.0
File nameFile versionFile sizeDateTimePlatform
requestRouter.dll 7.1.1965.0326,89605-16-201621:50x64

↑ Back to the top


Microsoft has confirmed that this is an update in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

After you install this hotfix, the following fixes are made.

Issue 1

This hotfix adds the trustImmediateProxy attribute to the Application Request Routing Helper module configuration settings. TrustImmediateProxy controls whether the server from which the request was received should be automatically added to the trustedProxies list. If it's not otherwise specified, trustImmediateProxy is set to "false."

After you apply this hotfix, the default for the trustUnlisted attribute is changed from "true" to "false."

Sample configuration:
<trustedProxies trustUnlisted="false" trustImmediateProxy="true">
<add ipAddress="" />
<add ipAddress="" />
Issue 2

After you apply this hotfix, Application Request Routing health checks use the SecureConnectionIgnoreFlags setting.

Issue 3

After you apply this hotfix, Application Request Routing supports configuration of a per-web farm collection of SSL server certificate public keys, with optional Algorithm OID strings. This validates the server certificates that are received from web farm workers.

Sample configuration:

<webFarm name="MyServerFarm">
<server address="" enabled="true" />
<server address="" enabled="true" />
<publicKey bytes="112233445566778899AABBCCDDEEFF" algorithmOid="1.2.840.113549.1.1.11" />
<publicKey bytes="AABBCCDDEEFF112233445566778899" />
  • The bytes field is the hex representation of the public key blob of the server certificate, without spaces.
  • AlgorithmOid is the string representation of the Algorithm OID. In the preceding example, 1.2.840.113549.1.1.11 corresponds to SHA256. The algorithmOid is optional. If it's not specified, any algorithm OID is acceptable.

↑ Back to the top


Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top

Keywords: kbsurveynew, kbfix, kbexpertiseinter, atdownload, kb

↑ Back to the top

Article Info
Article ID : 3162949
Revision : 1
Created on : 1/7/2017
Published on : 6/6/2016
Exists online : False
Views : 274