When HTTPS traffic to Encryption Management Server Web Email Protection is routed through a load balancer or proxy, Encryption Management Server will log the IP address of the load balancer or proxy, not the IP address of the originating host.
For example, if a load balancer has the IP address 10.13.12.11 and the Web Email Protection user has the IP address 10.11.12.13, this is what is seen in the Web Email Protection log:2020/05/06 15:45:02 +01:00 INFO pgp/wm: 10.13.12.11 [email protected] Login
Some load balancers and proxies support X-Forwarded-For (or XFF) headers. These are used to identify the originating IP address of the connecting host. The header looks like this in the HTTP packet where 10.11.12.13 is the IP address of the originating host: