Forum Discussion

Comex_17260's avatar
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011

Preserve client ip (Stealth LB)

Hello Everybody,

I made a search through discussions to see if this subject is covered, and apparently it is not.

I have several applications running on my servers behind my Big-IP 10.2.x LB, and before they were behind LB, they were reading and using client's IP in several manners.

I know i can use x-forwarding-for or any other fields in http header to pass the client ip to the server, but I cannot change my software to adapt the new system.

What I have to do is, if it is possible, make the LB stealth and the server will see the real client's IP address rather than LB's IP address.

Is it possible to assign a new value to client_addr in any context?

P.S. how the client ip address is read in the application is as follows:



Returns the Internet Protocol (IP) address of the client or last proxy that
sent the request. For HTTP servlets, same as the value of the CGI variable

a String containing the IP address of the client that sent the request


Thanks in advance,


3 Replies

  • Hi Comex,



    Is this for IIS only? If so, here's a possible solution:





    Posted By rjordan on 05/06/2011 12:53 PM


    Regarding something simple to attempt, try installing ARR Helper for IIS ( This will rewrite the REMOTE_ADDR value with the X-Forwarded-For value. We've used this when we have to deal with some closed source applications that can't be updated to look at X-Forwarded-For. I don't think it rewrites the source IP in the web logs, though.




    Another option would be to modify the servers to set the default gateway to an LTM self IP and then disable SNAT.





  • Hey Hoolio,


    Thanks for your response.



    although one of the server is IIS, my problem is about the source code as I cannot change it.


    I was trying to assign client ip to LB's local IP when the connection is made from the client to server through LB. I hope that when this is done, the server will see/think that the remote address in https request is client ip rather than LB's IP.



    The servers get IP from the LB, but SNAT is opened because the servers start request to outside (e.g. sending mail)



    If this can be done without changing any other part of my whole network, i am saved.



  • if you cannot change code, i think server has to set f5 as default gateway. then you will be able to disable snat, so server will see real client ip address.