Windows-itpro-docs: Source IP swapped with Destination IP

@officedocsbot assign @mypil

@And2Devel - Thank you for submitting feedback.

I will get this issue over to the Win10 ITPro writing team for investigation.

Thank you for reporting and making the docs better. Much appreciated.

I made a note to request the team to update this when the work is complete.

Even though I don't know the factual answer, I am guessing that there is some reverse logic involved in auditing compared to regular source/target descriptions for network traffic. I will wait for an authoritative answer to be posted, though.

hello @And2Devel ,
in all "advanced security audit" events, local IP address is source IP, and remote IP is destination, don't you have the same?
in your example, is 10.10.10.222 address of your local server?
Thank you

@And2Devel - We would like to follow up. Can you please respond to the query of MaratMussabekov?

Thank you.

@MaratMussabekov - No, I have it like this:
Source - remote computer (Citrix client).
Destination - local computer (Citrix server).
And this is correct. What is wrong is the definition of "Source" and "Destination" at Microsoft webpage.

@All: please look at screenshot:

Dear @mypil,
looks like many articles within this section have the same description (I mean "Source Address: local IP address on which application was bind the port" - even for inbound connections). So, the change must be done for all articles, not only for this one... Is it possible to contact the author of those articles?
Thank you

@Dansimp - Can you please share your insights on this issue?

Thank you.

Looking at the quote, "Source Address: local IP address on which application was bind the port",
it looks like there are opportunities to combine the required changes with proofreading too.

it possible to contact the author of those articles?

IMHO, if we can find an author on not is not so important - Microsoft is responsible for this, so anyone who is responsible and capable do CORRECT these definitions would be enough for it.

@And2Devel - We are coordinating with the author @Dansimp to get his insights. We ask for your patience. Please standby for further updates. Thank you.

@And2Devel @illfated @MaratMussabekov @mypil - I can help you merge on this repo. Please bear with me as I can tell from reading this thread everyone is much more expert on this area that I am.

I had to do a quick drawing to try to wrap my brain around it. If I am reading the message of @And2Devel correctly then 10.188.32.7 is both the sender and receiver of the packets in the connection and 10.188.34.190 is the IP address of the filter. Does it sound correct? I agree, it is super confusing on the documentation and can definitely use improvement. Would anyone be willing to submit a Pull Request to help make it clearer? I can guide you on it. I can also do it with your help.

Hello @kenwith,
according to messages from @And2Devel, 10.188.32.7 is a citrix server where windows filtering platform is configured and 10.188.34.190 is a citrix client that connects to 10.188.32.7.
For me, it would be enough to change descriptions for Source Address, Source Port, Destination Address and Destination Port.
For example:
Source Address - IP address from which connection was initiated
Source Port -port number on which connection was initiated
Destination Address - IP address to which connection was attempted
Destination Port - port number on which connection was attempted
or something like this, so the description will be correct for both inbound and outbound directions.
However, problem is that this change must be done for all articles in "Advanced security auditing" section that have the same incorrect description.
Thank you

Since this involves multiple articles I am trying to track down an escalations support engineer to make sure we aren't missing something before we change all of the articles.

What you explained makes sense. I read now in the log that was pasted that the "OriginatingComputer" is the computer that originated the log message. Which is also where the Filtering process and Citrix Server process are running.

So based on what you clarified it is like the below. And if the diagram below is how @And2Devel has the environment setup then I agree the definitions in the article seem backwards:

Just to pitch in with my "2 cents" as well:
Leaving any filter, auditing and applications aside, the description also looks backwards compared to the traditional concept of source & origin when handling port traffic in ordinary firewall management (regardless of hardware or software firewalls).

@illfated - I agree and will get these updated. @MaratMussabekov - let's merge your PR's. Thanks all for this fix!

Glad to hear that.

Please remember to link back to this issue from the PR by using #4692, it will be helpful for visual tracking too.

@illfated I agree that the definite article "the" would be more appropriate, as it is a specific connection, not any connection. I would also certainly go with "the connection was initiated", not "attempted", in this scenario. Hope that helps.

hello @JohanFreelancer9 ,
please have a look now,
thank you

@And2Devel - From our understanding, the issue has been resolved based on the merged commit [2313747]. If you feel it hasn't been resolved, please re-open this issue.

Thank you for your contribution to make the docs better! Much appreciated!

PR #5128 commit hash: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/2313747a2e950a27e316c84b876941fe9c9207f2
(unmodified link usually works best displaying extra info in the Github tooltip)

We are observing the opposite from the documentation on all previous operating systems.

The documentation is now correct but this is a new behavior for Windows 10 and above that didn't exist in the past, could you confirm that in windows 7,8,8.1 the previous documentation that this commit fixed https://github.com/MicrosoftDocs/windows-itpro-docs/commit/2313747a2e950a27e316c84b876941fe9c9207f2 was actually correct?

I could be very mistaken, but I imagine that most Microsoft employees are finding it less and less interesting practical to access and use outdated or unsupported versions of Windows these days.

(Disclaimer: I am not employed or affiliated with Microsoft, neither physically nor here on GitHub.)