If you’re contemplating adding an unsupported ISAPI filter to your web server to deal with this problem, STOP!
Use a NetScaler AppExpert policy instead.

Background

Sometimes intermediate proxies and firewalls will mask the true source IP address of client TCP/IP connections.   But many times its necessary for the applications servers to be aware of the clients true IP address.   The x-forward-for (XFF) is an entry, found in an HTTP header, which solves this problem and identifies the clients true source IP address.     (and sometimes intermediate devices)   The XFF header gets put into an HTTP requests by intermediate proxy servers which are masking the source IP address of client connections.
<pre>   X-Forwarded-For: client</pre>
Here’s what it looks like in a GET request:

   GET / HTTP/1.1
   Host: www.badstore.net
   User-Agent: Mozilla Firefox/3.0.3
   Accept: text/html,application/xhtml+xml,application/xml
   Accept-Language: en-us,en
   Accept-Encoding: gzip,deflate
   Keep-Alive: 300
   x-forward-for: 192.168.200.3
   Connection: keep-alive

When multiple proxies are in the communication path, these  devices will append onto the existing XFF the source IP address they receive.  Each successive proxy passing a request adds the IP address where it received the request from.  This results in the XFF header having multiple IP addresses:
<pre>   X-Forwarded-For: client, proxy1, proxy2</pre>
Sometimes, these multiple IP addresses and additional proxy information cause problems for our web servers.  They may only be expecting to see a single IP address and not know how to deal with the additional information.  This might result in failed logging or even cause an application to crash.

Solution

If multiple IP addresses in the XFF header are causing your applications problems, a NetScaler AppExpert policy can quickly resolve this.  The following policy will strip out all but the first value in the comma delimited list of IP addresses from the XFF:

add rewrite action rw_XFF_strip_extraIPs delete "HTTP.REQ.HEADER(\"x-forward-for\").AFTER_REGEX(re/^.{1,3}\\..{1,3}\\..{1,3}\\..{1,3}/)"
add rewrite policy rw_XFF_present "HTTP.REQ.HEADER(\"x-forward-for\").EXISTS" rw_XFF_strip_extraIPs
bind lb vserver &lt;vserver_name&gt; -policyName rw_XFF_present -priority 110 -gotoPriorityExpression END -type REQUEST

Removing the additional XFF addresses will leave the client’s true IP address in the x-forward-for header field by itself.   But be sure to disable XFF header insertion at the service and instead do it with the rewrite module.  Else you can end up with two XFF headers in the HTTP request.  The following rewrite policy will insert the XFF if it’s not already present:

add rewrite action rw_XFF_insert insert_http_header x-forward-for CLIENT.IP.SRC
add rewrite policy rw_XFF_not_present "HTTP.REQ.HEADER(\"x-forward-for\").EXISTS.NOT" rw_XFF_insert
bind lb vserver &lt;vserver_name&gt; -policyName rw_XFF_not_present -priority 120 -gotoPriorityExpression END -type REQUEST

References:

http://en.wikipedia.org/wiki/X-Forwarded-For