Transparency is useful in a situation when a Real Server needs to see the client addresses in order to function correctly. When transparency is enabled - rather than seeing the Virtual Service address, the server sees the client's address.
Transparency has a few caveats and is only applicable in certain situations. These caveats are listed below:
- The server must be local to one of the subnets that the LoadMaster has been deployed within. Transparency will not work with non-local servers.
- Clients must not be on the same subnet as your server. There are two exceptions to this rule:
- With a transparent Layer 7 service, the connection will work but transparency will not be applied
- With a transparent Layer 4 service, the connection will not work unless you are leveraging Direct Server Return (DSR)
- With Layer 4 or Layer 7 transparency, you will be required to change your servers' default gateway to use the LoadMaster. The exception to this is Layer 4 transparency with DSR.
- For DSR to work properly, the Virtual Service must be one-armed, i.e. the Virtual Service address and Real Server IP addresses need to reside within the same subnet. Also, a loopback adapter is needed on each Real Server. This will help to ensure the client's response looks like it is coming from the LoadMaster.
- If your server is on a non-local subnet, a transparent connection cannot be provided. Also, if you cannot modify your server's networking configuration, it is possible to look for the client address within an HTTP header such as X-Forwarded-For or X-Clientside. Often the use of an Internet Server Application Programming Interface (ISAPI) filter can directly insert these headers into your server logs. For instructions on how to do this, refer to the following Microsoft blog: ISAPI Filter which Logs original Client IP for Load Balanced IIS Servers.
Below are some screenshots to help illustrate what it looks like when transparency is enabled.
In the following example we will be using;
- Client - 10.0.9.13
- Virtual Service - 192.168.5.142:80
- Real Server - 192.168.5.103:80
L7 Front End TCPdump: From Client to LoadMaster Virtual Service
L7 Back End TCPdump: From LoadMaster Virtual Service to Real Service (Non-Transparent)
L7 Back End TCPdump: From LoadMaster Virtual Service to Real Service (Transparent)
Comparing the two TCPdumps of back-end traffic, you can see the client IP passed along to the server when Transparency is enabled. In the example of when Transparency is disabled, you will see the LoadMaster's IP address.