ZXTM manages network connections from remote clients separately to the network connections to the local server machines. This allows ZXTM much more freedom in how it processes request data, schedules HTTP requests and SSL-decrypts connections. However, one side effect is that the back-end server observes that connections originate from the ZXTM machine, not the remote client.

This article describes several strategies for dealing with this limitation if it proves to be a problem in a particular environment.

Zeus' ZXTM Appliance

Zeus' ZXTM Appliance is capable of manipulating the server-side network packets, so that they appear to originate from the remote client rather than the ZXTM machine. This capability depends on a custom Linux kernel module, and is not currently available in the current ZXTM software release.

For more details, take a look at the 'IP Transparency' section in the ZXTM User Manual.

IP Transparency in the ZXTM Software

We're currently running a beta programme to test the Linux kernel module from the appliance with the software edition of ZXTM. If you are running ZXTM on Linux and would like to participate in this beta programme, please contact your account manager.

Perform the task in ZXTM

Generally, IP transparency is required because the back-end application performs a task that requires knowledge of the correct source address of the connection. Examples or such tasks include authentication of the source IP address, and connection logging.

In many cases, it's possible to perform this task in ZXTM itself. For example:

• An SMTP server may perform a DNS lookup to check the IP address against a blacklist. This functionality can be moved into ZXTM, using a TrafficScript rule that performs the DNS lookup and can drop the connection if desired.

• A Web Server may log connections, and the admin may wish to log the correct source IP address for each request. ZXTM's access logging can be used instead, to log the request on the ZXTM machine.

In addition, when ZXTM manages an HTTP connection, it adds an 'X-Cluster-Client-Ip' header to the request that identifies the true source address. A web based application that wishes to know the source address of the connection could inspect the value of this header instead.

ZXTM Web Server modules

Zeus Web Server automatically trusts the value of the 'X-Cluster-Client-Ip' header and presents the correct source IP address to applications, authentication engines and log modules running within the server.

We have custom modules for Apache, Apache2 and iPlanet/Sun servers that perform the same function. For more details, take a look at the following FAQ articles:

• Preserving the Client IP address to Apache servers and Applications
• Preserving the Client IP address to iPlanet/SunONE/Sun Java System Web Server servers and Applications

Owen Garrett [Zeus Dev Team] 02 December 2005   1 comment