Apache

Getting around NetScaler Client IP issues without having to use USIP

on

If you work with Netscalers, you already know how SNIPs and MIPs work. They are the IPs that communicate with your servers. Every packet from the outside world that passes through the Netscaler will hit your server as though it was coming from this IP. This is the default behavior on a Netscaler.

Unfortunately if your servers require the client’s true IP address, all you will see for every client will be the SNIP or MIP address you are using. Here are a few examples I have personally had to deal with:

– IIS requires client IP for IIS logs
– IIS requires client IP for ACL filtering
– Web application requires client IP for it’s own logging purposes
– Web application requires cilent IP for authentication

Now to get around this for IIS, you can install ISAPI filters and set your Netscaler to use a custom header to store the true client IP address and pass that along with every packet. The ISAPI filter in IIS would look for this particular header and log that instead of the SNIP/MIP. There’s a very nice Client IP extraction ISAPI filter with some great instructions located on this page from Citrix or you can even write your own:

http://support.citrix.com/article/CTX119347

This is great for logging but sometimes your web application may grab the IP address from web server variables. To return the IP address of the host making the request, the server variable that your ASP, ASP.NET, and PHP code will call is “REMOTE_ADDR”. Unfortunately REMOTE_ADR is going to have your SNIP IP and not the client IP when passing through the Netscaler. The good news is that if you have control of your code, you can make it call from a different location that includes the client IP your ISAPI filter is passing. So if your code currently uses:

Request.ServerVariables("REMOTE_ADDR")

then switch it to:

Request.ServerVariables("http_client_ip")

where “http_client_ip” is the real client IP address and not the SNIP. Everything will work fine after that.

Here’s a nice snippet of code you can run on your web server and hit from your client browser to see what all the Netscaler is passing to the server:

(***NOTE: I apologize in advance if my website messes up the code block above. If you have issues with it, I will host a .txt file here with the code. Just post a comment below if you need it.)

This is all well and good when you have access to the code and can make this change but what about web apps that are 3rd party and you cannot modify the code? Well then you have no choice but to use the USIP (Use Source IP) feature on the Netscaler. What this does is pass the client IP straight through the Netscaler to your backend server so that the SNIP or MIP you are using on your Netscaler is never seen by the server (except for monitor probes from the Netscaler itself of course). This option is disabled by default. It can be applied to the entire Netscaler or turned on and off per service.

Best practice is not to use it and avoid it as much as possible. The reason is that using the USIP feature means you are going to lose very important features on the Netscaler such as connection multiplexing and surge protection. It’s always better to use the Client IP header insertion instead. In fact to date I have personally never enabled USIP in any environment I have built so far.

Here’s a very excellent and recent article from Citrix on the pros and cons of using USIP mode:

http://support.citrix.com/article/CTX121974

I hope this helps anyone trying to get around Client IP address related issues. Please feel free to post a comment on your own experiences or suggestions.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

9 Comments

  1. Eric Smith

    June 6, 2011 at 9:04 AM

    Hi Jason,

    Just curious: Why could you not just enable the Client IP insertion on the load balancing service?

  2. Jason Samuel

    June 14, 2011 at 11:38 PM

    @Eric Smith

    Hi Eric, enabling Client IP is part of the solution. If you just enabled it and did not use the ISAPI filter, IIS would only log the SNIP. You have to instruct IIS to pull the new Client IP that is being inserted by the Netscaler in the custom header. This is where the ISAPI filter comes in to play. It’s a 2 part solution.

  3. Zaher

    December 2, 2011 at 4:20 PM

    How can we do the same thing with weblogic instead of IIS?

  4. Josh

    January 30, 2012 at 12:09 PM

    This post was very helpful. Thanks!

  5. deepti

    July 9, 2013 at 7:05 AM

    hi

    we have an issue with one of our netscaler VPX. Users at a particular site are unable to access the https site (note , doesnt work with http as well). We are able to access the site without any issues but users get IE cannot display the page. Checked all ports and all are open.. Ran nstcpdump.sh and for user’s machine and port 443. Can see the requests coming from users machine to NS but not gng back.
    Pls guide.

  6. Kari Ruissalo

    April 13, 2017 at 7:24 AM

    What if I write the REMOTE_ADDR header with NetScaler rewrite on to the response? Like in this article:
    https://support.citrix.com/article/CTX123676

    … slightly modified like this:
    add rewrite action rw_act_insert-http-header_REMOTE_ADDR insert_http_header REMOTE_ADDR CLIENT.IP.SRC
    add rewrite policy rw_act_insert-http-header_REMOTE_ADDR true rw_act_insert-http-header_REMOTE_ADDR
    bind lb vserver vs_ssl_myserver.domain.dom -policyName rw_act_insert-http-header_REMOTE_ADDR -priority 100 -gotoPriorityExpression END -type RESPONSE

  7. Jason

    November 27, 2017 at 1:42 PM

    Hi,

    I am trying to get client ip to filter out the external and internal users trying to access my site. I get null when i use “http_client_ip” and when i use “Remote_ADDR” i get an IP associated with netscaler. I have also used HTTP_X_FORWARDED_for and it returns null or empty. Server is DMZ and uses citrix netscaler. I have tried almost all the server variables available but none of them helped me get client real ip.

  8. Kari Ruissalo

    November 30, 2017 at 8:23 AM

    Jason, add the Client IP in the NetScaler Service Group/service. Enter “X-Forwarded-For”. This should send the client IP to the back with the header. So if your backend can identify that field, that should do the trick.

  9. krishna

    July 24, 2018 at 6:43 AM

    HI Jason,

    Thanks for sharing your knowledge.
    I am struggling to attach the client IP header to backend servers. I have configured x-forwarded-for in client IP filed of NetScaler service group and bound it to virtual server. But I do not have any joy as it is not working. you script does anything different to GUI config which I have done in NetScaler load balancing? how could I run this script on storefront server which are load balanced behind the VIP? could you also please send me the script in txt file?
    Many Thanks,
    Krishna

Leave a Reply

Your email address will not be published.