• Connector uses ICAP
• Load Balancer is in place
• Protection Engine sees the source IP as the load balancer in the logs instead of the connector and this needs to show the connector IP instead

There is custom ICAP header "X-Client-IP" that can be passed with ICAP request.
Format is : X-Client-IP: xx.xxx.xxx.xx
A sample ICAP request for scanning an eicar is given below:

RESPMOD icap://10.xxx.xxx.xx:1344/SYMCScanRespEx-AV ICAP/1.0
Host: 10.xxx.xxx.xx:1344
Connection: close
X-Client-IP: 10.xxx.xxx.xx
Encapsulated: req-hdr=0, res-hdr=52, res-body=71

get eicar.com HTTP/1.1
Host:icheck.symantec.com

HTTP/1.1 200 OK

44
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
0

ICAP/1.0 201 Created
ISTag: "BA0F7638F0DE3FDECA794A84472C631A"
Date: Thu Jul 25 08:21:00 2019 GMT
Service: Symantec Protection Engine/8.0.0.56
Service-ID: SYMCSCANRESPEX-AV
X-Violations-Found: 1
	eicar.com
	EICAR Test String| ViralThreat=Virus| SubCategoryID=0| 
UberCategories=Malware| CumulativeRiskRating=High| PerformanceImpact=High| 
PrivacyImpact=High| EaseOfRemoval=High| Stealth=High
	11101
	2
X-Outer-Container-Is-Mime: 0
Encapsulated: res-hdr=0, res-body=83

HTTP/1.1 200 OK
Content-Length: 257
Pragma: no-cache
Content-Type: text/html

101
<html><title>Content Blocked Notice</title>The content you just requested 
contains EICAR Test String and was blocked by the Symantec Protection Engine 
based on local administrator settings.  Contact your local administrator for 
further information.</html>

0