Enable Reflect Client IP on the Edge SWG (ProxySG)
search cancel

Enable Reflect Client IP on the Edge SWG (ProxySG)

book

Article ID: 166397

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When the Edge SWG (ProxySG) is making outbound connections, you want it to send the IP address of the clients that initiate the requests.

You need to monitor outbound traffic but you are unable to determine the origin due to the Edge SWG (ProxySG) sending it's own IP address as the source. 

Environment

The Reflect Client IP option is only supported in transparent Edge SWG (ProxySG) deployments.

Resolution

By default, the Edge SWG (ProxySG) uses its own IP address as the source IP address for requests (when connecting to servers). If Reflect Client IP is enabled, the Edge SWG (ProxySG) uses the client IP address for all requests. Enabling this option is not an arbitrary decision; it depends on the deployment and role of the Edge SWG (ProxySG). For example, if this Edge SWG (ProxySG) is acting as a branch peer in an Application Delivery Network (ADN) deployment, enable client IP address reflection. This provides maximum visibility for network usage statistics and enables user-based access control to network resources.

However, if you have asymmetric routing from the internet to your client workstations (usually the case in explicit proxy deployment mode), you may not want to enable this setting as it will cause connections to break since the return packets from the server may never reach the Edge SWG (ProxySG).

Enable Reflect Client IP (globally) using the Management Console:

  • Go to Configuration>Proxy Settings>General>Reflect Client IP
  • Check the box for "Reflect the client's source IP when connecting to servers"
  • Click Apply and OK

Configure Reflect Client IP for specific requests using the Visual Policy Manager:

  • Add a Rule on a Web Access Layer 
  • Right-click in the Action field
  • Click Set
  • Click New
  • Select Reflect IP
  • Select the radio button for "Incoming client IP (IP spoofing)" (you can also choose to reflect other IP addresses such as a VIP on the proxy)
  • Click OK in the Reflect IP Object dialog box
  • Click OK  in the Set Action dialog box

  * You can add other criteria to the rule such as destination request URL in order to make it a specific match.
** You will need to install policy for the changes to take effect.

Configure Reflect Client IP (globally) using the command line interface:

ProxySG#configure terminal
ProxySG#(config)general
ProxySG#(config general)reflect-client-ip {enable | disable}

 
 

 

 

Powered by Wolken Software