3/5/2020 How to Enable Client IP in TCP/IP Option of NetScaler

Update on Citrix ADC and Citrix Gateway vulnerability.

https://support.citrix.com/article/CTX267027

 Support Knowledge Center Describe your issue    Log In

Customers who viewed this Article Article Article

article also viewed How to Forward Client IP to Back- How to Insert a Client IP Address in FAQ: Passing Client IP Through
End Server Using "x-forwarded-for" an HTTP Header Without Using the NetScaler When Using SSL BRIDGE
Header on Citrix ADC Client IP Insertion Feature of a…

CTX205670

How to Enable Client IP in TCP/IP Option of NetScaler

Article | Configuration | 15 found this helpful | Created: 20 Jan 2016 | Modified: 24 Sep 2018

Applicable Products
NetScaler 10.5 NetScaler 11.0

Objective
This article describes how to enable client IP in TCP/IP option of NetScaler.

Background

Currently, several customers are trying to make use of the NetScaler as a centralized resource to perform load balancing for many
applications in large data centers. When NetScaler application switch is used as >= L3 switch, it is setup as a proxy as many servers
are across an L3 network. We need to operate as a proxy for such environments, however this results in the loss of the client’s source
IP. As a result, we need to insert the client’s connection information as part of the initial data stream.

For HTTP and SSL services this is done by inserting ClientIP address as HTTP Header on the request to the server. Inserting Client IP
address header  is not possible for TCP based services . So we can use TCP header insertion as an alternative.

This drawback is solved by this feature. After the three way handshake with the server, a single packet of additional data will be sent
to the server. This data will be prepended with the 32 bit binary representation of the value entered as the CIP header, and then the
complete TCP/IP header information for the packet that induced the backend connection to be established. This data starts with the
start of the IP header to the end of the TCP header, including IPv6 extension headers, IPv4 options, and TCP options as appropriate.
As such, proper logic in the application will need to be incorporated to ensure that the proper fields are being parsed.

Note that this feature does not work on HTTP load balancing virtual server/service.

An extra packet is sent by the NetScaler to the server side containing the following information

Variable length: Client side session information, it is a copy of final acknowledgement packet used in client side connection
establishment (only header).
IPV6: Basic IPv6 header is copied to the server side as it is. NetScaler does not have dual IPv6 stack rather it converts IPv6 packet
to IPv4 and Layer 3 and after upper layers processes the packet. Again the packet is translated from IPv4 to IPv6. While
converting original IPv6 header to IPv4 for TCP level proxing all extension headers are ignored. But for TCP CIP, we copy the
original IPv6 basic header and forward to the server side.

Screen shots of sample trace Call or Chat


https://support.citrix.com/article/CTX205670 1/5
3/5/2020 How to Enable Client IP in TCP/IP Option of NetScaler

Note: In SSL_BRIDGE NetScaler TCP does not proxy the final packet from client to the server side. On the final ACK, protocol control
block (PCB, TCP session structure) itself is not created on the NetScaler. We do this because we know that this is an SSL protocol and
client has to send first data packet (SSL client hello), only then PCB is allocated on NetScaler for the client side connection and
IP+TCP header is stored from this client hello packet and forwarded to the sever side and client side information. If suppose client
hello may be 265 bytes, so we will see the IP len as 265 bytes.

In our Lab we successfully tested this feature for following services:

TCP service
SSL_BRIDGE service

SSL_TCP service 

Instructions
Complete the following steps to enable client IP in TCP/IP option of NetScaler:

1. Go to the CLI of NetScaler and type:

set ns param -tcpCIP EnabLED

2. Name the service which needs the header to be inserted. Magic number only supports numerical value so provide only numbers
here else it will not work.
set service <service name> -cip enabled <magic number>

For Example - set service farhan -cip ENABLED 1234

3. Make sure the service are of type TCP or SSL Bridge or SSL_TCP. It is not supported for HTTP load balancing server/services.

4. Verify the settings through GUI. Navigate to System > Setting > Change Global System Settings and make sure that Client TCP/IP
header insertion in TCP payload is enabled.

 Call or Chat
https://support.citrix.com/article/CTX205670 2/5
3/5/2020 How to Enable Client IP in TCP/IP Option of NetScaler

5. On the service the CIP is enabled and Magic number is given in a numeric format.
Note: Magic number does not support alphabets or symbol.

6. Make sure that the service are not HTTP type as it does not work for HTTP type service or load balancing virtual server.

Testing the Configuration

Send a request to the load balancing virtual server; the load balancing virtual server will pass it to the service and we will see the 3
way handshake with the backend server (10.104.23.149 is the backend in our case) and my client with which I tested was 10.103.6.30.
1. After 3 way handshake you will see one more ACK packet just after the ACK packet of 3 way handshake which is sent by SNIP
(10.104.23.132) to the backend server (10.104.23.149) and has some length, like here it shows length as 52

2. Select the TCP header and it will show highlighted part:

After this you will see in the Hex format as shows 000004d20000003400010028... string.

These are the value of the new header which NetScaler is sending in the TCP data. The field are like below:
00 00 04 d2 is 1234 (magic number which we have given) in Hex
Next 4 bytes 00 00 00 34 is the header length i.e. 52
Next 2 bytes 00 01 which is TYPE for CIP.
Next 2 bytes 00 28 is CIP header size i.e. 40

3. After the highlighted part find out the first occurrence of 00 28 which is the CIP header size.

4. Now from this 00 28 move right to the next 12 hex values.

 Call or Chat
https://support.citrix.com/article/CTX205670 3/5
3/5/2020 How to Enable Client IP in TCP/IP Option of NetScaler

5. After these value note down the next 4 value which will be 0a 67 06 1e and which is our client IP address 10.103.6.30.

6. Now to go any site for hex to IP converter and give these value and convert them which will show the actual client IP which is
10.103.6.30 in my case.

7. So NetScaler will be sending the client IP in the TCP data. The backend server should have proper setting to understand it and
extract the client IP value from TCP header.

Was this page helpful?   Please provide article feedback.

Join Related Discussions

Support Forums

Netscaler proxy protocol support

VIEWS REPLIES

Support Forums

Getting client IP in no http servers

VIEWS REPLIES

Support Forums Answered

Configuring "Use Source IP"

VIEWS REPLIES

Search Citrix Discussions

View Common Solutions

Citrix ADC Citrix App Layering Citrix Application Delivery Management

Citrix Endpoint Management Citrix Gateway Citrix Receiver

Citrix SD-WAN Citrix SD-WAN WANOP Citrix Virtual Apps

Citrix Virtual Apps and Desktops Citrix Virtual Desktops Citrix Workspace App

ShareConnect ShareFile StoreFront

XenServer

 Call or Chat
https://support.citrix.com/article/CTX205670 4/5
3/5/2020
Call Technical Support
1 800 424 8749 (US)
0800 587 9031 (GB)
0800 182 5549 (DE)
0120 941 133 (JA)
View Additional Numbers
 © 1999-2020 Citrix Systems, Inc. All Rights Reserved
https://support.citrix.com/article/CTX205670
How to Enable Client IP in TCP/IP Option of NetScaler
Get Additional Support
Open a Case View Related Sites
Open a ticket online for technical Citrix Product Documentation
assistance with troubleshooting,
break-fix requests, and other product Citrix Discussions
issues.
Open a Case Online
Share this page
   
Privacy & Terms Cookie Preferences
 Call or Chat
5/5