IIS REMOTE_ADDR

Hey,

 

The following was sent from our F5 account engineer. Thoughts on her

 

suggestions?

 

 

In order for the BIG-IP to enhance the performance and security of

 

application traffic, that traffic has to go into and out of the BIG-IP

 

(or any load balancer). If a server that is behind the BIG-IP uses the

 

BIG-IP as its default gateway, then the original client address is

 

retained. The source IP is that of the client and can be used by the

 

server. This is a routed configuration and probably the most common

 

configuration.

 

If a real server does not use the BIG-IP as the gateway, then the only

 

way to get traffic back to the BIG-IP is to use "SNAT". With SNAT, the

 

BIG-IP changes the IP source address of the client to the BIG-IP's

 

address. Then the server will send traffic back to the BIG-IP. The

 

"SNAT" configuration is also very common. Since the original client

 

address is no longer in the packet, a header is inserted, usually the

 

X-Forwarded-For header, that includes the client address. Then the web

 

server runs some code to extract the client IP value. Here is a link to

 

the IIS filter at F5 DevCentral:

 

http://devcentral.f5.com/Default.aspx?tabid=38. The X-Forwarded-For

 

header is a de facto standard and widely used anytime a load balancer is

 

installed.

 

The only other option is to use an "npath" configuration. In this setup,

 

the real server accepts traffic directed to the virtual IP address and

 

the return traffic bypasses the BIG-IP. This requires special setup on

 

the real server and is much less commonly used, since its use eliminates

 

much of the benefit of having an application delivery platform and it is

 

not as easy to support.