F5 doesn't pass original IPs

drugstore
drugstore used Ask the Experts™
on
All,
  Big IP 3600s working perfectly for dozens of servers and load balancing is going well.  But... the only IPs that show up in web server logging belong to the pair of F5s.  I would like the F5 to pass the original IP of our customers for many reasons, namely tracking who is hitting our services.

  The setup is fairly traditional- edge router to firewall to F5 to server.  I have spoken with F5 who pointed me to this setting:
Main | Local Traffic | Virtual Servers | Profiles | Insert X-Forwarded-For

  That setting was disabled; I enabled it, applied it, and no change resulted.

  I've looked high, low, and all over the F5 web site and will have to call them again, unless you have an idea...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014
Commented:
The F5, along with most other load balancers are typically setup as reverse proxy servers, so they do replace the client's IP address with their own.

There are only 2 solutions if you want to see the clients IP address:

1) Do exactly what BIGIP said to do.  Check the box to insert X-Forwarded-For.  The server will still see the F5's IP address as the source IP address, but there will be an HTTP header, X-Forwarded-For, inserted that will have the clients IP address.

2) Setup the application servers so that they route all traffic through the F5's and then disable SNAT.  This will put extra load on the F5's, but  this is the only way the application servers actually see the client IP address and the traffic gets sent back to the F5 so that the client sees the VIP IP address.  If the outbound traffic from the application bypasses the F5, the source IP address will not be correct and this will cause problems.
Exec Consultant
Distinguished Expert 2018
Commented:
Can check out this link below.

Note the caveats (need to terminate SSL if exists, multiple headers, and no SNAT).
May even want to use the iRule to inject that header manually to see if it is working as per expected.

http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html?sr=21469582

There is one specific thing to note when using OneConnect profile with a 0-bit mask (0.0.0.0).

http://support.f5.com/kb/en-us/solutions/public/9000/800/sol9816.html?sr=21470362

Author

Commented:
Thank you experts!  I enabled the X-Forwarded-For setting which you can see in Wireshark with the nifty display filter "http.x_forwarded_for."  Then, in the Microsoft IIS web server section of the article referenced by breadtan (SOL4816), there is an IIS ISAPI filter update to IIS Advanced Logging that allows the original IPs to be logged and viewed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial