Translate destination IP address of a request to origin IP address

You can configure the forward proxy cache redirection virtual server on the Citrix ADC appliance to translate the destination IP address of the request landing on the cache redirection virtual server to the origin server IP address. This translation occurs irrespective of whether the request is sent to the cached servers or the origin server. Previously, forward proxy cache redirection virtual server in service provider environment could not be effectively used to send traffic across firewall because of the limitations in cache redirection using content switching policies. The cache redirection virtual server did not translate the origin IP address into the destination IP when the packet was sent to cache. The destination IP address was that of the origin server only when the requests were served from cached server. Use case: In a deployment that has Citrix ADC appliance configured for forward proxy cache redirection, firewall, and reused client IP addresses, firewall cannot distinguish/use the reused IP addresses. Therefore, these reused IP addresses must be translated to different IP addresses. To translate the reused IP addresses, the Citrix ADC appliance must perform the following:

1. Query a DNS load balancing virtual server for resolution of the destination. 2. Update the origin IP address and port number in the destination. 3. Send the request back to the firewall.

Consider the following deployment that has a Citrix ADC appliance configured for forward proxy cache redirection, firewall, two routers (Router 1 and Router 2). Network traffic flows to Internet 1 through Router 1 and to Internet 2 through Router 2 respectively.

localized image

In this example, input requests from clients come from two different VLANs, VLAN11 or VLAN12. The client IP address (10.0.0.0) is reused. Based on the cache redirection and content switching policies, the request can go directly to the origin server or to the firewall.

  • If the request has to bypass the firewall and go to the internet, then based on the input request VLAN, either Router 1 or Router 2 is selected and the request is sent to Internet 1 or Internet 2.

  • If the request has to go through the firewall, then the source IP of the request must be translated to specific IP address. The translated IP address can be used to identify the VLAN through which request has come. For example, if the input request is coming from VLAN11, then the source IP address is translated to 11.x.x.x. If the request is coming from VLAN12, then the source IP address is translated to 12.x.x.x.

After the firewall processes the request, the request is sent back to the appliance. Using the combination of listen policy and net profiles, the appliance then translates the source IP address back to the original IP address and sends the request to Router 1 or Router 2 based on the input VLAN ID. Note: The mode of the load balancing virtual server that is bound to the cache must always be set to MAC mode. Though IP mode for this feature is not blocked, setting to IP mode leads to unexpected behavior.

To translate the destination IP address and port number of the request to origin IP address by using the CLI

At the command prompt, type;

set cr vserver <vsname> -useoriginIpPortForCache <YES|NO>

Example:

set cr vserver cvsrv1 -useoriginIpPortForCache YES

When useoriginIpPortForCache is set to Yes and if the request must be served from the cached servers, then the request’s destination IP is translated to the origin server IP address.

Note: If useoriginIpPortForCache is enabled, always set the load balancing virtual server that is bound to the cache to MAC mode.

To translate the destination IP address and port of the request to origin IP address by using the GUI

1. Navigate to Traffic Management > Cache Redirection > Virtual Servers and click Add.

2. Specify the details of the cache redirection virtual server.

3. Select Use Origin IP Port for cache to enable translation of the destination IP address of the request to origin IP address.

4. Click OK.