Understanding Transparency
Transparency pertains to how the LoadMaster forwards traffic to Real Servers. In transparent mode, the LoadMaster passes the original client's IP address as the source IP address. In non-transparent mode, the LoadMaster Network Address Translates (NATs) the requests to the Real Server with the LoadMaster's Virtual Service address. For your server to see the original sender's IP address, you must operate transparently.
Transparency can be turned on for Layer 7 services and is always on for Layer 4 services. However, there are some obstacles to services functioning correctly in transparent mode. For transparent operation to work correctly, traffic must return through the LoadMaster when returning from the servers. Typically this is done by setting the servers’ default gateway to the LoadMaster.
However, challenges arise when the client and server are on the same subnet. In this case, transparency cannot work because the server responds to the client directly. If you are in a situation where the clients and server are on the same subnet and you must have transparency, KEMP recommends migrating to a two-armed configuration. This can be done by creating an additional subnet connected to the LoadMaster and moving your servers there. By using the LoadMaster as a gateway for the servers, you can operate transparently.
The most important thing to remember when attempting to operate transparently, is that the server's gateway must be set to the LoadMaster. If that is set correctly, you can enable transparency by checking the Transparency check box for the relevant Virtual Service(s) by going to Virtual Services > View/Modify Services > Modify > Standard Options.
Understanding Transparency
Transparency is useful in a situation when a Real Server must see the client addresses to function correctly. When transparency is enabled - rather than seeing the Virtual Service address, the server sees the client's address.
Transparency has a few caveats and is only applicable in certain situations. These caveats are listed below:
- The server must be local to one of the subnets that the LoadMaster has been deployed within. Transparency will not work with non-local servers.
- Clients must not be on the same subnet as your server. There are two exceptions to this rule:
- With a transparent Layer 7 service, the connection will work but transparency is not applied
- With a transparent Layer 4 service, the connection will not work unless you are leveraging Direct Server Return (DSR)
- With Layer 4 or Layer 7 transparency, you are required to change your servers' default gateway to use the LoadMaster. The exception to this is Layer 4 transparency with DSR.
- For DSR to work properly, the Virtual Service must be one-armed, that is, the Virtual Service address and Real Server IP addresses must reside within the same subnet. Also, a loopback adapter is needed on each Real Server. This helps to ensure the client's response looks like it is coming from the LoadMaster.
- If your server is on a non-local subnet, a transparent connection cannot be provided. Also, if you cannot modify your server's networking configuration, it is possible to look for the client address within an HTTP header such as X-Forwarded-For or X-Clientside. Often the use of an Internet Server Application Programming Interface (ISAPI) filter can directly insert these headers into your server logs. For instructions on how to do this, refer to the following Microsoft blog: ISAPI Filter which Logs original Client IP for Load Balanced IIS Servers.
Below are some screenshots to help illustrate what it looks like when transparency is enabled.
In the following example we will be using;
- Client - 10.0.9.13
- Virtual Service - 192.168.5.142:80
- Real Server - 192.168.5.103:80
L7 Front End TCPdump: From Client to LoadMaster Virtual Service
L7 Back End TCPdump: From LoadMaster Virtual Service to Real Service (Non-Transparent)
L7 Back End TCPdump: From LoadMaster Virtual Service to Real Service (Transparent)
Comparing the two TCPdumps of back-end traffic, you can see the client IP passed along to the server when Transparency is enabled. In the example of when Transparency is disabled, you will see the LoadMaster's IP address.