Enable Use Source IP Mode

When the NetScaler appliance communicates with the physical servers or peer devices, by default, it uses one of its own IP addresses as the source IP. The appliance maintains a pool of subnet IP addresses (SNIPs), and selects an IP address from this pool to use as the source IP address for a connection to the physical server. The decision of selecting a SNIP address depends on the subnet in which the physical server resides.

If necessary, you can configure the NetScaler appliance to use the client’s IP address as source IP. Some applications need the actual IP address of the client. The following use cases are a few examples:

  • Client’s IP address in the web access log is used for billing purposes or usage analysis.
  • Client’s IP address is used to determine the country of origin of the client or the originating ISP of the client. For example, many search engines such as Goggle provide content relevant to the location to which the user belongs.
  • The application must know the client’s IP address to verify that the request is from a trustworthy source.
  • Sometimes, even though an application server does not need the client’s IP address, a firewall placed between the application server and the NetScaler may need the client’s IP address for filtering the traffic.

Enable Use Source IP mode (USIP) mode if you want the NetScaler to use the client’s IP address for communication with the servers.

The following figure shows how the NetScaler uses IP addresses in USIP mode.

IP addressing when USIP is enabled

Before you begin

Before you enable USIP mode, note the following points:

  • Enable USIP in the following situations:
    • Load balancing of Intrusion Detection System (IDS) servers
    • SMTP load balancing
    • Stateless connection failover
    • Sessionless load balancing
    • If you use the Direct Server Return (DSR) mode
  • When USIP is enabled, you must set server’s gateway to one of the NetScaler owned IP addresses (of type Subnet IP (SNIP) so that server’s response always go through the NetScaler appliance.
  • If you enable USIP, set the idle timeout for server connections to a value lower than the default value, so that idle connections are cleared quickly on the server side.
  • For transparent cache redirection, if you enable USIP, enable L2CONN also.
  • Because HTTP connections are not reused when USIP is enabled, a large number of server-side connections may accumulate. Idle server connections can block connections for other clients. Therefore, set limits on maximum number of connections to a service. Citrix also recommends setting the HTTP server time-out value, for a service on which USIP is enabled, to a value lower than the default, so that idle connections are cleared quickly on the server side.
  • As an alternative to USIP mode, you have the option of inserting the client’s IP address (CIP) in the request header of the server-side connection for an application server that needs the client’s IP address.
  • In earlier NetScaler releases, USIP mode had the following source-port options for server-side connections:

    • Use the client’s port. With this option, connections cannot be reused. For every request from the client, a new connection is made with the physical server.
    • Use proxy port. With this option, connection reuse is possible for all requests from the same client.

    In the later NetScaler releases, if USIP is enabled, the default is to use a proxy port for server-side connections and not reuse connections. Not reusing connections may not affect the speed of establishing connections.

    By default, the Use Proxy Port option is enabled if the USIP mode is enabled.

    Note: If you enable the USIP mode, it is recommended to enable the Use Proxy Port option.

    For more information about the Use Proxy Port option, see Configure the source port for server-side connections.

Configuration Steps

Enable Use Source IP mode (USIP) mode if you want NetScaler to use the client’s IP address for communication with the servers. By default, USIP mode is disabled. USIP mode can be enabled globally on the NetScaler or on a specific service. If you enable it globally, USIP is enabled by default for all subsequently created services. If you enable USIP for a specific service, the client’s IP address is used only for the traffic directed to that service.

NetScaler command line procedures

To globally enable or disable USIP mode by using the NetScaler command line:

At the command prompt, type one of the following commands:

  • enable ns mode USIP

  • disable ns mode USIP

To enable USIP mode for a service by using the NetScaler command line:

At the command prompt, type:

set service <name>@ -usip (YES | NO)

Example:

> set service Service-HTTP-1 -usip YES
Done

NetScaler GUI procedures

To globally enable or disable USIP mode by using the NetScaler GUI:

  1. Navigate to System > Settings, in Modes and Features group, click Change Modes.
  2. Select or clear the Use Source IP option.

To enable USIP mode for a service by using the NetScaler GUI:

  1. Navigate to Traffic Management > Load Balancing > Services, and edit a service.
  2. In Advanced Settings, select Service Settings, and select Use Source IP Address.

Enable Use Source IP Mode