Jump to content
Welcome to our new Citrix community!

keeping original source ip instead of subnet ip


Amin Eideh

Recommended Posts

Greetings everybody,

is there a way to Change source IP of requests sent to back-end server through ADC  LB  to its original IP, instead of the SNIP..



Already tried using Use Source IP (USIP),which is mentioned in this article 

Enable Use Source IP Mode | Networking (citrix.com)

 

However  this way, I need to change the Gateway IP of the back-end server to the ADC IP in order for the packets to reach,
but the Gateway IP of the back end servers cant be changed.

Is there another way to do it? using re-write policies for example ? or any other method ?

 

Much Regards

Link to comment
Share on other sites

Hi, 

 

You could sent the Client IP in a custom header, using something like the following method: https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-advanced-settings/insert-cip-in-request-hdr.html

 

As long as the backend server is able to log the header, then you should be fine,

 

For TCP based services: https://support.citrix.com/article/CTX205670

 

 

  • Like 1
Link to comment
Share on other sites

If you want an alternate way to pass the client ip to the backend WITHOUT using USIP mode, then the client ip header insertion as noted by Derek is the best way to do it (either by rewrite policy to insert a custom header or http profile or the method for tcp header insertion.)  This would still result in the SNIP in use for ADC to server communication but the app would extract the source ip from the header instead.

 

If you have to provide the client ip at L3 as the source ip of the packet from the ADC to the backend server instead of the SNIP, then you still have to use USIP mode. A rewrite alone cannot fix the network issue affecting the return traffic.  A rewrite policy isn't going to solve a L3 routing decision.

 

Reason (why the backend server's gateway is then usually changed to the SNIP of the ADC):

- If your backend server receives a request from a client's ip instead of the ADC SNIP, then it will attempt to return the traffic directly to the client IP.  The server's own routing either a) will not recognize this destination and be unable to route it and response fails OR  b)will recognize the "client" network and send the request to a router that can route the packet and your response will bypass the ADC.

 

If you aren't changing the default gateway of the server, to guarantee traffic returns to the ADC SNIP for return response processing, you would need the switch/router between the server and the external client ip or ADC snip to use some sort of conditional routing rule to return traffic to the ADC SNIP and distinguish this traffic from other traffic the server might be receiving.  But this rule would usually would not be able to distinguish regular traffic from server to client network (without adc) from those with adc.   So, would your non-adc network components be able to deal with policy based routing or other conditional routing rules that would meet your requirements - this is now a network design question on your backend network and may not be an easy solve.  

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...