How to preserve the original source client IP using X-Forwarded-For or aFlex?

Product Discussions ADC - Application Delivery
,
1

Hi,

I have done doing the aFlex or X-forwarded-for configurations for A10, but still the SNAT IP of ax1030 seen in the Bluecoat Proxy User IP list. Is configurations also needed on bluecoat to preserve the original source IP?

Btw, here’s my configuration on my A10 SLB

!Current configuration: 6155 bytes
!Configuration last updated at 11:11:01 MYT Wed Jun 13 2018
!Configuration last saved at 11:11:02 MYT Wed Jun 13 2018
!version 2.7.1-P3, build 76 (Nov-06-2013,11:23)
!
ha id 1 set-id 1

vcs enable
vcs vMaster-id 1
vcs config-info 10b2fca7f5fbf456 9390
vcs chassis-id 1

vcs floating-ip 20.20.20.3 /24
vcs multicast-ip 224.0.0.210

vcs device 1
priority 200
interfaces ethernet 6
enable
vcs device 2
priority 150
interfaces ethernet 6
enable
vcs local-device 1
!
hostname A10SLB-1 device 1
hostname A10SLB-2 device 2
clock timezone Asia/Kuala_Lumpur
!
ntp server 170.1.188.112
!
ntp server 170.1.188.117
!

system per-vlan unknown-ucast 5000
enable-def-vlan-l2-forwarding

vlan 1/111
untagged ethernet 1 ethernet 3 to 4
router-interface ve 111
!
vlan 1/112
router-interface ve 112
!
vlan 1/884
untagged ethernet 2
router-interface ve 884
!
vlan 1/905
router-interface ve 905
!
vlan 1/995
router-interface ve 995
!
vlan 2/111
untagged ethernet 1 ethernet 3 to 4
router-interface ve 111
!
vlan 2/123
untagged ethernet 7
!
vlan 2/884
untagged ethernet 2
router-interface ve 884
!
vlan 2/905
router-interface ve 905
!
vlan 2/995
router-interface ve 995
!
!

!

interface management device 1

 ip address 10.130.40.251 255.255.254.0
 ip default-gateway 10.130.40.1

!
interface management device 2

 ip address 10.130.40.252 255.255.254.0
 ip default-gateway 10.130.40.1

flow-control
!
interface ethernet 1/3
disable
!
interface ethernet 1/4
disable
!
interface ethernet 1/6
ip address 20.20.20.1 255.255.255.0
!
interface ethernet 1/7
disable
!
interface ethernet 1/8
disable
!
interface ve 1/111
ip address 170.1.188.140 255.255.0.0
!
interface ve 1/112
disable
!
interface ve 1/884
ip address 192.168.202.253 255.255.254.0
!
interface ve 1/905
disable
!
interface ve 1/995
disable
!
interface ethernet 2/1
speed 1000
duplexity Full
!
interface ethernet 2/3
disable
!
interface ethernet 2/4
disable
!
interface ethernet 2/5
disable
!
interface ethernet 2/6
ip address 20.20.20.2 255.255.255.0
!
interface ethernet 2/7
disable
!
interface ethernet 2/8
disable
!
interface ve 2/111
ip address 170.1.188.139 255.255.0.0
!
interface ve 2/884
ip address 192.168.202.254 255.255.254.0
!
ip route 0.0.0.0 /0 192.168.202.11 device 1
!
ip route 0.0.0.0 /0 192.168.202.11 device 2
!
!
!
!
!
!
!
!
!
!

ha l3-inline-mode
ha group 1 priority 1/100
ha interface ethernet 1 no-heartbeat device 1
ha interface ethernet 2 no-heartbeat device 1
ha interface ethernet 6 device 1
ha conn-mirror ip 20.20.20.1 device 1
!
ha group 1 priority 2/200
ha interface ethernet 1 no-heartbeat device 2
ha interface ethernet 2 no-heartbeat device 2
ha interface ethernet 6 device 2
ha conn-mirror ip 20.20.20.2 device 2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

ip nat pool SLB-SNAT-IP 192.168.203.25 192.168.203.25 netmask /23  gateway 192.1                                                                                        68.202.11 ha-group-id 1
ip nat pool testnat2 170.1.188.136 170.1.188.136 netmask /16  gateway 170.1.2.3                                                                                         ha-group-id 1

!
!
!
!
!
health monitor tcp_8080
method tcp port 8080
!
health monitor tcp_445
method tcp port 445
!
health monitor FTP
method ftp
!
health monitor HTTP_8080
method http port 8080
!
!
!
!
!
!
!

slb server BLUECOAT-PROXY\_192.168.202.127 192.168.202.127
   health-check tcp\_8080

port 8080 tcp
       health-check tcp_8080
!

slb server BLUECOAT-PROXY\_192.168.202.128 192.168.202.128
   health-check tcp\_8080

port 8080 tcp
       health-check tcp_8080
!

slb server BLUECOAT-PROXY\_170.1.188.133 170.1.188.133
   health-check tcp\_8080
   conn-limit 8000000 no-logging

port 8080 tcp
       health-check tcp_8080
   port 8081 tcp
       health-check ping
   port 8082 tcp
       health-check ping
!

slb server BLUECOAT-PROXY\_192.168.202.252 192.168.202.252
   health-check tcp\_8080

port 8080 tcp
       health-check tcp_8080
!

slb service-group Bluecoat-Proxy-Test-Xforwarder tcp
    health-check tcp\_8080
    member BLUECOAT-PROXY\_170.1.188.133:8080

!

slb service-group BLUECOAT-PROXY-Group tcp
    health-check HTTP\_8080
    member BLUECOAT-PROXY\_170.1.188.133:8080

!
!
slb template tcp default
   insert-client-ip
!
slb template tcp ftp_longidle
   idle-timeout 15000
!
slb template tcp socks_longidle
   idle-timeout 15000
!
slb template tcp insertclient2
   insert-client-ip
!
slb template tcp TEST_TCp
   insert-client-ip
!
!

slb template http X-Forwarded-For
   insert-client-ip X-Forwarded-For

!
slb template http clientip-insert
   insert-client-ip X-Forwarded-For
!
!
slb template persist source-ip sourceip_persistence
!
!
slb template persist destination-ip sticky
   match-type service-group
!
!
slb virtual-server Bluecoat-Proxy-Test-Xforwarder 192.168.203.250
   ha-group 1
   port 8080 http

      name \_192.168.203.250\_TCP\_8080
      source-nat pool SLB-SNAT-IP
      service-group Bluecoat-Proxy-Test-Xforwarder

template http clientip-insert
      aflex X-Forwarded-For
!
!
!
!
!
!
!
!
!
!
!
!

enable-management device 1 service ssh ethernet 1 to 8 ve 905
enable-management device 1 service https ethernet 1 to 8 ve 905
enable-management device 1 service snmp ethernet 1 to 8 ve 905
disable-management device 1 service http management
enable-management device 2 service ssh ethernet 1 to 8 ve 905
enable-management device 2 service https ethernet 1 to 8 ve 905
enable-management device 2 service snmp ethernet 1 to 8 ve 905
disable-management device 2 service http management
!
!
!
!
!
monitor buffer-usage 711760
!
!
!

multi-config enable
enable-core
!
!
!
no terminal auto-size
terminal width 80
terminal length 0
!
end

A10SLB-1-Active-vMaster[1/1]#
Please HELP.

2

Hello,

Yes, indeed, you also need to instruct the Bluecoat to now look for the X-Fowarded-For information rather than use the client IP address as found in the IP headers.

I’m not sure what exact Bluecoat setup you have, but a quick search lead me to this:

Use Effective IP to Determine the Origin IP

Greetings,

Diederik

3

Hi Diederik

Thanks for the link.

Just a quick question for this

“ip_address” specifies the HTTP proxy or load balancer IP address.
Does this mean that i need to define the VIP of the VS or the Source NAT IP?

Regards.

4

The way I understand it is that the “ip_address” identifies what source the packets are coming from and which ones the proxy need to match to apply the rule of looking into the X-Forwarded-For header.

So, if you have setup a particular NAT-IP address on the SLB, you need to put that IP address in there.
You need to put the IP address n there which the Proxy sees in the IP header as source IP address.

5

Hi Diederik,

I already applied that but, result was still the same. I was prompting an error on ProxySG saying:

Error: Expected ‘!’, ‘(’, or a value: ‘<’ cpl.local:45: client.address=<192.168.203.250> \ client.effective_address(“$(request.header.X-Forwarded-For)”)

BR.

6

Well, I think the system is telling you to not use the “<”…
but of course, we are not a Bluecoat forum…

try again with:

client.address=192.168.203.250 \ client.effective_address(“$(request.header.X-Forwarded-For)”)

7 
Still the same :(

Error: Unknown tag: '\\'
cpl.local:44: client.address=192.168.203.250 \\ client.effective\_address(“$(request.header.X-Forwarded-For)”)
8

try removing that tag…

\\ is also often shown if something did not fit on one line...

client.address=192.168.203.250 client.effective\_address(“$(request.header.X-Forwarded-For)”)
9 
With a error as well :(

Error: Unknown tag: 'client.effective\_address'
cpl.local:44: client.address=192.168.203.250 client.effective\_address(“$(request.header.X-Forwarded-For)”)
10

Where are you configuring this?
What version of OS are you running on the Proxy SG?
Have you tried this:

Configure Effective IP Using the VPM

If these BlueCoat options do not seem to work on your BlueCoat system… I suggest you contact BlueCoat support :slight_smile:

11

Yes, I’ve tried doing it on VPM and other ways to apply the script, but nothing happens.

Software Version: SGOS 6.4.6.6 Proxy Edition
Is there any way to show the orignal source client without affecting or configuring X Forwarded For on both devices? Like deployment method?

BR.

12

Ok, first of all… is the setup working?
I see you are redirecting port 8080 traffic to the Proxy, and you have the port type HTTP setup.
So if the traffic flow working? Can clients browse the internet?
Explicit proxy traffic looks like normal HTTP, but, is slightly different, the A10 might actually not be adding the header this might be due to the face the A10 sees it is explicit proxy traffic and not plain HTTP…

If you setup your ProxySG to accept normal HTTP traffic and operate as a transparant proxy, the A10 will see the normal HTTP traffic and can add the header.

This is the setup we normally use:
https://www.a10networks.com/solutions/partner_solutions/blue-coat-systems-partner-solutions

I’m not sure what happens if you just loadbalance the explicit proxy traffic.
I expect the A10 can not alter the header and thus you will always see the NAT IP.

13

Btw, if you are setting up the clients to connect to the A10’s VIP address as explicit proxy address, you can also look into using one of the new features of the A10 CFW.

It supports explicit proxy and can do proxy forwarding toward proxy systems like BlueCoat.

This will require a CFW/CFW License and one fo the latest ACOS versions. I would strongly suggest the latest 4.1.1-P build, or even 4.1.4.

14

Hi Diederik,

Yes, they can browse using the VIP but the problem is that on bluecoat proxy, it only see the Source NAT IP configured on A10, not their original IP.

BR

15

Personally I have never tested adding the X-Forwarded-For header when loadbalancing explicit proxy connections.
Can you trace the traffic between the A10 and BlueCoat to confirm the header is added?
If it is not added, open a case with A10 TAC/Support, they can confirm if it is supported, and if it is supported they can check what is going on on the A10.

If in your traces you see the header is added, then you need to call BlueCoat support and have them figure out why you config does not take it into account.