When the SSL proxy makes an upstream connection, <proxy> policy layers are not evaluated. While many policy activities can be performed in an <ssl> layer, reflect_ip cannot.
This is a behavioral trait specific to the SSL Forward Proxy only.
WorkaroundTo work around this limitation, you can use a rule in a <forward> layer to perform the IP reflection.
Note: This applies only to explicit forward proxy deployments, does not apply to HTTPS Reverse proxy or any other application proxy.
You have a virtual IP address (VIP) 10.105.1.29 and have enabled protocol detection for the explicit HTTP service. For HTTP requests, your policy includes a <proxy> layer rule to reflect the VIP address that appears as follows:
As mentioned in the overview for this article, while HTTP requests will match the above rule, an SSL request will not.
To work around this limitation, create a forward layer as follows:
This will produce the desired result, and all traffic will be subjected to IP Reflection.
Explicitly pointing the browser to the proxy VIP, then browsing to a secure website (e.g. https://www.verisign.com), a PCAP will show that the IP is not reflected to the virtual IP, until the forward layer rule is in place.