We are rolling out new NAM boxes fronted by a somewhat complicated A10
load balancer deployment. This involved LBs and NAM distributed in
geographically different locations. To make a long story short, we are
NEED the true client IP available on both the NAM IDP and AG, and we
also need those IPs logged via the NAM audit logging capabilities (to a
sentinel box). We've tried configuring everything without NAT, and
while yes it's theoretically doable, we've been having no luck getting
it to work right due to our network architecture, so now we're going
back to the drawing board and exploring NAT with X-forwarded-for.

Out of the box, NAM doesn't pass X-forwarded-for to the audit servers
(so the documentation says), and this is a key feature we need. I've
also had issues in the past using X-forwarded-for on AG policies with
"Authorization" policies (things randomly not working as expected--I
think it's a bug). So what I really need is for both the IDP and AG to
convert remote header IP to client IP.

The IDP documentation mentions this exact feature for remote header IP
by enabling a Tomcat module that replaces client IP with
X-forwarded-for. I tested this and it works perfectly, however I can't
find any such work around for the AG. I tried the same setting on the
AG Tomcat server, but it's not working. My guess is since 3.2
introduced Apache in front of Tomcat, this is not going to work. I'm
thinking that the following module would be necessary to make that work
properly: http://httpd.apache.org/docs/trunk/m..._remoteip.html

However, the customized Apache2 server that comes with the AG does not
seem to have this module built in.

Any other thoughts out there?


adamdn01's Profile: https://forums.netiq.com/member.php?userid=2226
View this thread: https://forums.netiq.com/showthread.php?t=50298