X-Forwarded-for with SSL Passthrough (no offloading on LTM)

Hi Waylon,

as the previous posters have already mentioned. You can't insert anything to the SSL protected content without performing MitM.

So you have to use either one of the following approaches...

1. A routed approach (Hannes recommendation) to transparently forward the original client IP to the backend servers.
2. An IP-Tunneling approach, to tunnel the traffic between your F5 and web servers to avoid intensive changes to your entire routing infrastructure.
3. A rather complex NAT4-to-6 constructs to hide the original IPv4 into a /96 IPv6 SNAT pools while forwarding the traffic to your backends (to avoid Default-GW dependencies). But in this case your backend infrastructure has to support native IPv6 or ISATAP transition technologies...

Note: I would like to second Hannes recommendation, by either...

1. changing the Default-GW topology of your network to passthrough your F5 in the path for 0.0.0.0/0.
2. adding an additional VLAN interface directly into the subnets of your webservers and change just the Default-GW of your web servers.
3. implementing certain Route-Maps / PBRs in your network environment, to be able to route just the HTTPS responses from your web servers (based on their SRC-IP and the SRC-Port of :443) through your F5 for internet related traffic (DST-IP:Any).

Cheers, Kai