Jump to content
Welcome to our new Citrix community!

F5 to Netscaler gateway to Radius server - Client IP extraction


Recommended Posts

We have F5 infront of Netscaler gateway( agreed no need of F5 before Netscaler). On Netscaler, the client IP address is showing as F5 IP.

Then on F5 we allowed to send the client IP as X-FORWARDED-FOR header to Netscaler, so the XFF is showing the real client IP.

Now we want the radius server to see the client IP address ( send tunnel endpoint client IP is enabled ), from logs we see that the tunnel endpoint client IP is showing as F5 IP.

Is there any way to have radius server see the real client IP?

Link to comment
Share on other sites

 

The original x-forwarded-for header inserted by the F5 should be passed to the backend service automatically.

IF its not being passed through, then use a rewrite policy to extract the header from the client request and then pass this IP through to a new header on the backend.

NetScaler can do TCP rewrites or HTTP rewrites in this context.  If you get the ADC to do an additional header insert, give it a new name so you don't have duplicate headers and then tell the backend the appropriate header to retrieve for logging purposes.

 

This article compares the F5 irule to the ADC rewrite policy:  https://support.citrix.com/article/CTX218061

For your daisy chain approach, some tweaking might be needed.

But if the F5 inserts the original client ip, that header should carry on through; unless the ADC is already inserting or removing the original x-forwarded-for. 

 

 

 

 

Link to comment
Share on other sites

Got it; if not, the NS can not extract this info and add a second header if needed.  So if the above reference doesn't help you with your own policy, someone around here can help you write one.  If the x-forwarded-for from the F5 is not present when the request reaches the NS, then things are a bit more complicated, because unless its in some other parameter, the NS won't have that value.   So, if the situation is more complex, we might just need more info to get the results you are looking for. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...