When user traffic is routed through a load balancer the client IP is changed from the IP of the web browser to the IP of the Load Balancer or Proxy Server.

There are few steps required to achieve this.

1) Load Balancer/Proxy in front of Access Gateway must send the 'X-Forwarded-For' header (or any custom header) with the User's IP Address.

2) Configure the ProxyDefinition ACO Parameter

Specifies the IP addresses of a list of trusted proxies in a network. Agent uses the value of ProxyDefinition along with other ACO parameters such as CustomIpHeader to determine whether a request originates from a user directly or proxy server. If you define the value of ProxyDefinition, Agent expects that all the requests coming from a proxy to have an IP address that can be found in the ProxyDefinition list. If a request includes an IP address that cannot be found in the list, Agent does not consult the CustomIPHeader list to resolve the client IP address for the request and leaves the client IP address as unresolved.

ProxyDefinition=<Load Balancer IP's>

3) Configure the CustomIpHeader ACO Parameter

Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.

CustomIpHeader=X-Forwarded_For

At this point, the Backend Server need to read "X-Forwarded-For" header and use that as User's IP Address.

Configuring IP Checking in Siteminder with a Load Balancer