Enable Reflect Client IP on the ProxySG
search cancel

Enable Reflect Client IP on the ProxySG

book

Article ID: 166397

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When the ProxySG is making outbound connections, you want it to send the IP address of the clients that initiate the requests.

You need to monitor outbound traffic but you are unable to determine the origin due to the ProxySG sending it's own IP address as the source. 

Environment

The Reflect Client IP option is only supported in transparent ProxySG deployments.

Resolution

By default, the ProxySG uses its own IP address as the source IP address for requests (when connecting to servers). If Reflect Client IP is enabled, the ProxySG uses the client IP address for all requests. Enabling this option is not an arbitrary decision; it depends on the deployment and role of the ProxySG. For example, if this ProxySG is acting as a branch peer in an Application Delivery Network (ADN) deployment, enable client IP address reflection. This provides maximum visibility for network usage statistics and enables user-based access control to network resources.

However, if you have asymmetric routing from the internet to your client workstations (usually the case in explicit proxy deployment mode), you may not want to enable this setting as it will cause connections to break since the return packets from the server may never reach the ProxySG.

Enable Reflect Client IP (globally) using the Management Console:

  • Go to Configuration>Proxy Settings>General>Reflect Client IP
  • Check the box for "Reflect the client's source IP when connecting to servers"
  • Click Apply and OK

Configure Reflect Client IP for specific requests using the Visual Policy Manager:

  • Add a Rule on a Web Access Layer 
  • Right-click in the Action field
  • Click Set
  • Click New
  • Select Reflect IP
  • Select the radio button for "Incoming client IP (IP spoofing)" (you can also choose to reflect other IP addresses such as a VIP on the proxy)
  • Click OK in the Reflect IP Object dialog box
  • Click OK  in the Set Action dialog box

  * You can add other criteria to the rule such as destination request URL in order to make it a specific match.
** You will need to install policy for the changes to take effect.

Configure Reflect Client IP (globally) using the command line interface:

ProxySG#configure terminal
ProxySG#(config)general
ProxySG#(config general)reflect-client-ip {enable | disable}

 
 

 

 

Powered by Wolken Software