Client IP address in TCP option

The Citrix ADC appliance uses many ways to send the client information to the back-end server. One such method is by sending the client IP address in the TCP option of the first data packet. The appliance uses the TCP option number in the TCP profile, if the back-end server using TCP option to read the client IP address. The IP address is carried in the TCP option number 28 (configurable on the appliance service). The TCP option method includes both insert and forward functionality in carrying the client IP address to the back-end server. In the TCP option configuration, the appliance adds a TCP option, 28 to insert the client IP address and forward it to the back-end server. Following are some the of usage scenarios for TCP option configuration in a Citrix ADC appliance. Multiplexing is disabled if this feature is enabled for traffic coming to TCP profile. Also, if nsapimgr and clientip tcp-options in TCP profile are enabled, clientip tcp-option takes precedence.

Note:

However, multiplexing is disabled on the appliance if Client IP TCP option is enabled for the traffic that comes to the TCP profile.

  • Learning original client IP address
  • Selecting a language for a website
  • Blacklisting selected IP addresses

Following are the two modes of operation:

  • Insert. The appliance adds the client details in the TCP option 28 (configurable but preferable value is 28) field and sends it to the back-end server.
  • Forward. The appliance forwards the client details in the TCP option 28 (configurable on the front-end of the appliance service). However, the option number at the back-end can be modified based on the value configured in the back-end

Note:

In case of TCP or HTTP virtual server, the TCP option number is forwarded with or without this feature enabled in transparent mode.

Limitations

The TCP option configuration feature is not supported in TFO, MultiPath TCP, and HTTP2 features.

How TCP option configuration in a Citrix ADC appliance

The following flow diagrams show how you can configure TCP option in the Citrix ADC appliances for Insert and forward operations.

Insert operation

The component interact is as follows:

  • A client sends a request to Citrix ADC.
  • In Citrix ADC appliance, you must create a TCP profile, enable the TCP option feature, and specify the TCP option number. Note: It is advisable to configure TCP option number as 28 in the TCP profile.
  • In Insert operation, Citrix ADC inserts the client details in the TCP option 28 bound to the service. The client details are then sent it to the back-end server. If the incoming traffic is HTTPS, the client IP address in the TCP option will be sent in the SSL client hello message which is the first data packet at the TCP level

Forward operation:

Forward operation

The component interact is as follows:

  • A client sends a HTTP/HTTPS request to Citrix ADC.
  • At Citrix ADC appliance, if is a Forward operation, the TCP option is enabled on load balancing virtual server or content switching virtual server and also enabled on the service. The appliance receives the client info in the TCP option number specified in the virtual server and forwards it to the back-end server in the TCP option number (configurable in the service) added in the first data packet

Configure TCP option for Insert operation

Following the procedure given below to configure TCP option in your Citrix ADC appliance.

  1. Add a TCP profile.
  2. Configure TCP option for Insert operation
  3. Bind TCP profile to service

Add a TCP profile

At the command prompt, type:

add tcpprofile <name> -clientIpTcpOption (enabled | disabled> -clientIpTcpOptionNumber <positive_integer>

Example:

add tcprofile p1

Configure TCP option for Insert operation

At the command prompt, type:

add tcpprofile <name> -clientIpTcpOption (enabled | disabled> -clientIpTcpOptionNumber <positive_integer>

Example:

add tcpprofile p1 -clientIpTcpOption ENABLED -clientIpTcpOptionNumber 28

Add service

At the command prompt, type:

add service <name> <server name> <service type> <port>

Example:

add service service-http1 1.1.1.1 HTTP 80

Bind TCP profile to service

At the command prompt, type:

set service <name> –tcpprofileName <name>

Example:

set service s1 –tcpprofileName p1

Note:

The basic configuration for service must be taken care.

Configure TCP option for Forward operation

Following the procedure given below to configure TCP option in the TCP profile for Forward operation.

  1. Add TCP profile with TCP option number
  2. Bind TCP profile to virtual server
  3. Bind TCP profile to service.

Add TCP profile with TCP option number

At the command prompt, type:

add tcpprofile <name> -clientIpTcpOption (enabled | disabled> -clientIpTcpOptionNumber <positive_integer>

Example:

add tcpprofile p1 -clientIpTcpOption ENABLED -clientIpTcpOptionNumber 29

Bind TCP profile to virtual server (load balancing or content switching)

At the command prompt, type:

set lb vserver <name> -tcpprofileName <name>

Example:

set lb vservice s1 –tcpprofileName p1

Bind TCP profile to service

At the command prompt, type:

set service <name> -tcpprofileName p1

Example:

set service s1 -tcpprofileName p1

Configure TCP option by using Citrix ADC GUI

  1. Navigate to System > Profiles.
  2. In the TCP Profile tab page, click Add.
  3. In the Configure TCP profile page, configure the following parameters: a. clientIptcpoption. TCP option to send or receive client IP address. b. clientiptcpoptionnumber. Configurable TCP option number to receive the client IP address.

    Configure client TCP option

  4. Click OK and Close.