IIS Forwarding

NOTE: While you can configure forwarding from any web server, this guide covers IIS configuration procedure only.

You can create a website in IIS and use it as a proxy for forwarding API requests. This is handy if for security reasons you do not want to make the Netwrix Auditor Server host name or address public. In this case, you can create a website with a short and user-friendly name and configure it to redirect requests to a server that hosts Netwrix Auditor Server and actually processes RESTful API requests. You can also configure authentication and authorization on IIS side.

For example, instead of addressing requests to activity_records/enum endpoint, you can send them to https://enterprisewks/ integrationAPI/activity_records/enum.

Configure IIS Forwarding

NOTE: The procedure below applies to IIS 8.5 integrated with Windows Server 2012 R2.

  1. Make sure the Web Server role is installed on your server. Install the following components:

  2. Create IIS website. To do this, navigate to Start Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) Internet Information Services (IIS) Manager. In the left, expand your_computer_name Sites and select Add Website in the Actions pane. Create a website and configure authentication if necessary.

  3. In your site settings, double-click URL Rewrite and select Add Rule(s).

  4. In the Add Rule(s) dialog, select Reverse Proxy. Select OK when prompted to enable Application Request Routing and proceed further.

  5. In the Add Reverse Proxy Rules dialog that opens, provide a Netwrix Auditor Server host name or IP address.

  6. Edit the newly created inbound rule.

  7. On the Edit Inbound Rule page, complete the following fields and click Apply:

    Option Set to...
    Match URL

    Requested URL

    Matches the Pattern


    Regular Expressions



    NOTE: In this case all requests containing "activity_records" will be forwarded. For example, https://Enterprise/IntegrationAPI/ activity_records/enum.

    Ignore case



    Action type


    Rewrite URL


    where host:port is the name or IP address of the computer where Netwrix Auditor Server resides and port opened to communication.

    For example:{R:1}

    Append query string


    Log rewritten URL


    Stop processing of subsequent rules


Now you can send requests to your website that will forward them to proper Netwrix Auditor Integration API endpoints.

Usage Example—Forward Requests

The example below describes how to forward requests to another server.

  1. Configure forwarding as described above.
  2. Retrieve Activity Records from the Audit Database. See Retrieve Activity Records for more information.

    Format Request


    curl enum -u Enterprise\NetwrixUser:NetwrixIsCool


    curl enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool

  3. The request is automatically forwarded to endpoint starting with netwrix/api/v1/activity_records/.
  4. Receive the response. Below is an example of a successful GET request. The status is 200 OK. For XML, a response body contains the ActivityRecordList root element with Activity Records and a Continuation mark inside. For JSON, a response body contains the ActivityRecordList array with Activity Records collected in braces {} and a Continuation mark.

    <?xml version="1.0" standalone="yes"?>
    <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
    <Name>AD Monitoring</Name>
    <DataSource>Active Directory</DataSource>
    <Name>enterprise.local (Domain)</Name>
    <What>\local\enterprise\Users\Jason Smith</What>
    "ActivityRecordList": [
    "Action": "Added",
    "MonitoringPlan" : {
    "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
    "Name": "AD Monitoring"
    "DataSource": "Active Directory",
    "Item": {"Name": "enterprise.local (Domain)"},
    "ObjectType": "user",
    "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155",
    "What": "\\local\\enterprise\\Users\\Jason Smith",
    "When": "2017-02-14T15:42:34Z",
    "Where": "EnterpriseDC1.enterprise.local",
    "Who": "ENTERPRISE\\Administrator",
    "Workstation": "EnterpriseDC1.enterprise.local"
    "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"
  5. Continue retrieving Activity Records. See Usage Example—Retrieve All Activity Records for more information.