Hi i am trying to setup NAM with cluster and over F5 load balancer.

When i try to connect directly to NAM Risk based authentication is working like it's supposed to, we are getting the correct form.
But when i try to connect through load balancer i get wrong Risk score, because IP address NAM receives is wrong.


I have checked logs and i see that X-Forwarded-For is sent.


What i have done:
- in Risk Based i have enabled NAT settings and Client IP Header name is set to: x-forwarded-for and Client IP Header Parser is set to .*


In logs i can see that X-Forwarded-For is set to 10.1.7.13 and Remote Client IP adress is set to 10.252.252.81 (F5 load balance)
PHP Code:
****** HttpServletRequest Information:
MethodGET
Scheme
https
Context Path
: /nidp
Servlet Path
: /app
Query String
null
Path Info
: /login
Server Name
idp.eti.si
Server Port
443
Content Length
: -1
Content Type
null
Auth Type
null
Request URL
https://idp.company.si/nidp/app/login
Host IP Address10.252.252.79
Remote Client IP Address
10.252.252.81
Cookie
: (0 of 3): JSESSIONID06aca6aa8a620d2d286e4abd39970ba2aa901fcad4288a3de68beee0aee7136f
Cookie
: (1 of 3): UrnNovellNidpClusterMemberId, ~03~02feb~03~14~17hhw~0A~02
   Unobfuscated
UrnNovellNidpClusterMemberId10.252.252.79
Cookie
: (2 of 3): BIGipServerAccessManager1341979658.47873.0000
Header
NamehostValueidp.company.si
Header
Nameuser-agentValueMozilla/5.0 (Windows NT 10.0WOW64rv:66.0Gecko/20100101 Firefox/66.0
Header
NameacceptValuetext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Header: Name: accept-language, Value: en-US,en;q=0.5
Header: Name: accept-encoding, Value: gzip, br
                                                            
Header: Name: DNT, Value: 1
Header: Name: connection, Value: keep-alive
Header: Name: Upgrade-Insecure-Requests, Value: 1
Header: Name: X-Forwarded-For, Value: 10.1.7.13
Header: Name: Via, Value: 1.1 idp.eti.si (Access Gateway-ag-B4DA5565790A2261-119959) 
Based on Risk log i saw that it's using wrong ip:
PHP Code:
Rule considered for risk scoreCOMPANY-LAN</msg></amLogEntry>
<
amLogEntry seq="327315" d="2019-04-08T12:21:31Z" lg="Application" lv="DEBUG" th="49" ><msg>MethodRiskManager.evaluateRisk
Thread
ajp-bio-127.0.0.1-9019-exec-24
traceList
:    RL~groupName~RBA_Preauth_Kerberos-SK~ruleCount~1~Success~riskScore~30
   RU
~~ETI-LAN~~negateResult~false~exceptionRule~false~result~false~
   
CO~~ clientIP~10.252.252.81~in-range~hidden~parameters~result~false~</msg></amLogEntry

I have noticed this post about this kind of a problem but it's old it's strange that NAM doesn't already support this.
https://www.netiq.com/communities/co...-proxy-server/

Our current NAM version is 4.4.2. Currently i can't upgrade it.

I know i am missing something but i don't know what. If someone can help that would be great, because nothing works what i have tried.

Kind Regards
Sebastjan