As the CDN networks and Secure Web Gateways grow in terms of practical usage, it becomes even more challenging to preserve the Client-IP throughout the path to the last leg. We get this question often.  We addressed it directly in this 2012 blog post: (/blogs/2012/08/31/using-tcp-options-for-client-ip-insertion/). What we did not cover was the actual implementation of this concept as how one can read the IP address from incoming TCP Options and insert it into the HTTP header going to backend server/app.

Using TCP Options To Insert Original Client-IP And Also Preserve It Through The Stream Has Become a Common Use Case

In most cases while NetScaler is deployed as reverse proxy, we sit close to the Server side on the network and hence we become the last proxy request passes through. At backend, it is required to get original Client-IP from logging, compliance and application perspective. Hence NetScaler becomes the logical place where you retrieve the IP from TCP options and insert it into the HTTP header going to the backend server/app. Here is an example of Rewrite policy/action which achieves the same for you.

add rewrite action Insert_Client_IP  insert_http_header X-Forwarded-For “CLIENT.TCP.OPTIONS.TYPE(0x1c).GET_SIGNED32(1, BIG_ENDIAN).TYPECAST_IP_ADDRESS_AT”

add rewrite policy Check_TCP_Options “CLIENT.TCP.OPTIONS.TYPE(0x1c).EXISTS && CLIENT.TCP.OPTIONS.TYPE(0x1c).GET_UNSIGNED8(0).EQ(1)” Insert_Client_IP

Here The Policy Looks For TCP Option “28” And Ensures That Proxy Version is “1”

This is the standard way in which we expect the Client-IP to be inserted in the TCP Option field. Once the policy is hit, action is invoked which reads and inserts the value of Option field in IP Address form. It is pretty efficient to do this conversion and insertion in same action which is only possible with advance policy infrastructure framework in NetScaler. Now this policy can be bound to respective vserver or global bind based on the need.

There are certainly many more examples of complex task done in such simple ways through the policies and related infrastructure on NetScaler.