Why you cannot use ISAM FELB as a transparent load balancer?


Author(s): László Czap | Created: 02 August 2019 | Last modified: 25 June 2022
Tested on: -

Why you cannot use ISAM FELB as a transparent load balancer?

When you use the front-end-load-balancer (FELB) on ISAM in front of the WebSEAL, you don't see the real client IP in the request log, which is annoying. Is it possible to configure it otherwise? From the title, the answer is no. At least not in L4 mode. Here is why.

When you are using a load balancer, it terminates the connection at the TCP level, hence your target sees the load balancer's IP in the incoming connection instead of the real originating IP. Talking about HTTP traffic, in L7 mode you have the option to add a header that carries the original IP (typically X-Forwarded-For, but if you are in L4 mode, it is somewhat more tricky. The requirement to see the real IP in the target application is quite common, so most vendors offer this configuration option.

How transparent load balancing works - at least with other vendors?

Part 1.
For opening a new back-end connection, the load balancer needs to forge the source IP and instead of its own address use that of the client who opens the connection on the front-end side. However, after this, the back-end service will address the response to the real client IP instead of the load balancer, so the connection will fail - unless routing is properly configured.
Part 2.
Because of this, the back-end must use our load balancer as a gateway (typically it is configured as the default gateway), such that the load balancer receives the response packet eventhough it is addressed for the client.
Part 3.
Now, it is the load balancer's task to recognize that despite the packet is not addressed to its IP, it must accept it and let the back-end connection run, moreover it needs to send the content of the packet to the front-end connection - of course, with its own IP address as the sender.

Why ISAM does not do this?

ISAM is using HAProxy, which also has such a feature. So, why doesn't it work?
Part 1.
ISAM's HAProxy accepts the advanced configuration parameter source 0.0.0.0 usesrc clientip, so Part 1 is ✔
Part 2.
You can edit ISAM's routing table and set this properly. If you use multiple interfaces, you can even do the trick if your back-end (typically WebSEAL) and FELB are on the same box, so Part 2 is ✔
Part 3.
Here is where you fail. You would need some kernel support and configuraiton such that your ISAM appliance acts as a gateway. ISAM will simply drop the packet that is not addressed to any of its IP addresses, so the connection will never succeed. With a SW installation of HAProxy, you can tune these settings at the OS level, but with ISAM you have a closed box and this configuraiton option does not appear on the UI.