Preserve client ip (Stealth LB)

Question

Hello Everybody,
I made a search through discussions to see if this subject is covered, and apparently it is not. 
I have several applications running on my servers behind my Big-IP 10.2.x LB, and before they were behind LB, they were reading and using client's IP in several manners.
I know i can use x-forwarding-for or any other fields in http header to pass the client ip to the server, but I cannot change my software to adapt the new system.
What I have to do is, if it is possible, make the LB stealth and the server will see the real client's IP address rather than LB's IP address.
Is it possible to assign a new value to client_addr in any context? 
P.S. how the client ip address is read in the application is as follows:
---------------------------------------------------------Java
getRemoteAddr

Returns the Internet Protocol (IP) address of the client or last proxy that
sent the request. For HTTP servlets, same as the value of the CGI variable
REMOTE_ADDR.

Returns: 
a String containing the IP address of the client that sent the request
---------------------------------------------------------
Thanks in advance,
-Comex

hooleylist · Answer

Hi Comex, 
&nbsp;  
&nbsp; Is this for IIS only?  If so, here's a possible solution: 
&nbsp;  
&nbsp;  
&nbsp; http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/31/afv/topic/aft/1178815/afc/1227279/Default.aspx 
&nbsp; Posted By rjordan on 05/06/2011 12:53 PM  
&nbsp; Regarding something simple to attempt, try installing ARR Helper for IIS (http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx). This will rewrite the REMOTE_ADDR value with the X-Forwarded-For value. We've used this when we have to deal with some closed source applications that can't be updated to look at X-Forwarded-For. I don't think it rewrites the source IP in the web logs, though. 
&nbsp;  
&nbsp;  
&nbsp; Another option would be to modify the servers to set the default gateway to an LTM self IP and then disable SNAT.   
&nbsp;  
&nbsp; Aaron 
&nbsp; Aaron

comex_17260 · Answer

Hey Hoolio, 
&nbsp; Thanks for your response. 
&nbsp;  
&nbsp; although one of the server is IIS, my problem is about the source code as I cannot change it. 
&nbsp; I was trying to assign client ip to LB's local IP when the connection is made from the client to server through LB. I hope that when this is done, the server will see/think that the remote address in https request is client ip rather than LB's IP. 
&nbsp;  
&nbsp; The servers get IP from the LB, but SNAT is opened because the servers start request to outside (e.g. sending mail) 
&nbsp;  
&nbsp; If this can be done without changing any other part of my whole network, i am saved. 
&nbsp;  
&nbsp; -Comex

nitass · Answer

if you cannot change code, i think server has to set f5 as default gateway. then you will be able to disable snat, so server will see real client ip address.

Forum Discussion

Preserve client ip (Stealth LB)

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Enhance your Application Security using Client-side signals – Part 2

Upgrade APM edge client

F5 BIG-IP and NGINX - Securing Your AWS VPC Lattice Applications for External Clients

Client SSL Profile

Howto enable BIG-IP ASM client fingerprinting

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS