Product Documentation

Enabling Use Source IP Mode

Sep 01, 2016

When the NetScaler appliance communicates with the physical servers or peer devices, by default, it uses one of its own IP addresses as the source IP. The appliance maintains a pool of mapped IP addresses (MIPs) and subnet IP addresses (SNIPs), and selects an IP address from this pool to use as the source IP address for a connection to the physical server. The decision of whether to select a MIP or a SNIP depends on the subnet in which the physical server resides.

If necessary, you can configure the NetScaler appliance to use the client's IP address as source IP. Some applications need the actual IP address of the client. The following use cases are a few examples:
  • Client's IP address in the web access log is used for billing purposes or usage analysis.
  • Client's IP address is used to determine the country of origin of the client or the originating ISP of the client. For example, many search engines such as Goggle provide content relevant to the location to which the user belongs.
  • The application must know the client's IP address to verify that the request is from a trustworthy source.
  • Sometimes, even though an application server does not need the client's IP address, a firewall placed between the application server and the NetScaler may need the client's IP address for filtering the traffic.

Enable Use Source IP mode (USIP) mode if you want NetScaler to use the client's IP address for communication with the servers. By default, USIP mode is disabled. USIP mode can be enabled globally on the NetScaler or on a specific service. If you enable it globally, USIP is enabled by default for all subsequently created services. If you enable USIP for a specific service, the client's IP address is used only for the traffic directed to that service.

As an alternative to USIP mode, you have the option of inserting the client's IP address (CIP) in the request header of the server-side connection for an application server that needs the client's IP address.

In earlier NetScaler releases, USIP mode had the following source-port options for server-side connections:
  • Use the client's port. With this option, connections cannot be reused. For every request from the client, a new connection is made with the physical server.
  • Use proxy port. With this option, connection reuse is possible for all requests from the same client. Before NetScaler release 8.1 this option imposed a limit of 64000 concurrent connections for all server-side connections.

In the later NetScaler releases , if USIP is enabled, the default is to use a proxy port for server-side connections and not reuse connections. Not reusing connections may not affect the speed of establishing connections.

By default, the Use Proxy Port option is enabled if the USIP mode is enabled.

For more information about the Use Proxy Port option, see "Using the Client Port When Connecting to the Server."

Note: If you enable the USIP mode, it is recommended to enable the Use Proxy Port option.

The following figure shows how the NetScaler uses IP addresses in USIP mode.

Figure 1. IP Addressing in USIP Mode
IP addressing when USIP is enabled

Recommended Usage

Enable USIP in the following situations:
  • Load balancing of Intrusion Detection System (IDS) servers
  • SMTP load balancing
  • Stateless connection failover
  • Sessionless load balancing
  • If you use the Direct Server Return (DSR) mode
Note: When USIP is enabled, you must set server's gateway to one of the NetScaler owned IP addresses (either of type Subnet IP (SNIP) or mapped IP (MIP)) so that server’s response always go through the NetScaler appliance. For more information about NetScaler owned IP addresses, see "Configuring NetScaler owned IP addresses."
  • If you enable USIP, set the idle timeout for server connections to a value lower than the default value, so that idle connections are cleared quickly on the server side.
  • For transparent cache redirection, if you enable USIP, enable L2CONN also.
  • Because HTTP connections are not reused when USIP is enabled, a large number of server-side connections may accumulate. Idle server connections can block connections for other clients. Therefore, set limits on maximum number of connections to a service. Citrix also recommends setting the HTTP server time-out value, for a service on which USIP is enabled, to a value lower than the default, so that idle connections are cleared quickly on the server side.

To globally enable or disable USIP mode by using the command line interface

At the command prompt, type one of the following commands:

  • enable ns mode USIP
  • disable ns mode USIP

To enable USIP mode for a service by using the command line interface

At the command prompt, type:

set service <name>@ -usip (YES | NO)

Example

set service Service-HTTP-1 -usip YES

To globally enable or disable USIP mode by using the configuration utility

  1. Navigate to System > Settings, in Modes and Features group, click Change modes.
  2. Select or clear the Use Source IP option.

To enable USIP mode for a service by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services, and open a service.
  2. In Advanced Settings, select Traffic Settings, and select Use Source IP Address.