The 'iv-remote-address' normally represent the IP Address of client or of the proxy server. In our case the requests are routed to ISAM as shown below:

CLIENT --> Akamai --> F5 --> ISAM ReverseProxy

The incoming request at ISAM has 'akamai-edge-proxy' address.

AKAMAI sets the real client ip in a header called as "True-Client-IP".

Is there any mechanism , which will allow ISAM to set value of "True-Client-IP" as "iv-remote-address" ?

I don't believe it is possible to override the "iv" headers generated by the Reverse Proxy. They are considered protected.

In latest versions of Verify Access (10.0.1.0 and later) there is a configuration option which allows a header to be specified that will be used to obtain the client IP address. This overrides the connection IP address for authorization and auditing. I expect it would also override the value used in iv-remote-address header.

Here's the config section completed with your specified header:

Thanks Jon. Good to hear from you after so many years. 

I am currently using 9.0.5 version and there are plans to upgrade to the latest version in coming months. 

In the interim, i tried below but this does not work in logout scenario.

[header-names]

#client-ip-v4 = X-Forwarded-For

httphdr{True-Client-IP} = True-Client-IP

When user logouts from ISAM, we have single-signoff-uri configured where ISAM informs backend application to terminate the application session.

During this single-signoff call, ReverseProxy passes "NOT_FOUND" to backend application which is not correct from auditing perspective.

With the new feature (client-ip-http-header) in 10.0.1, will this information be propogated during single-signoff-uri scenario ? 

As per the documentation of this feature it mentions "This IP address will be used as the client address in authorization decisions and auditing records." 

Will you confirm if this will work in logout and single-signoff-uri case ?

Hi AJay, long time.

To be honest, I don't know how this will behave when using the single-signoff-uri scenario. In this case there is no "client" in play because the Reverse Proxy is making the requests itself. For sure that is the reason why the forwarding of the True-Client-IP HTTP header doesn't work - there's no client request to take the header from. It may fail in the same way for client-ip-http-header.

When a credential is built for an authenticated session, a client IP address is stored in the credential. This is the value that (by default) is used to populate the iv-remote-address header... although there's the option to use the client IP for each request instead.

I suspect the IP address in the credential will be populated from HTTP header if you use the 10.0.1.0 client-ip-http-header config. From there you could populate into an HTTP header to backend which, I think, would still be populated when calling single-signoff-uri.

While running on older version, I'm not sure whether you can achieve what you need. If you are using a custom authentication mechanism, you could have this populate a custom credential attribute with content of True-Client-IP header and then use HTTP-Tag-Value support to include in a custom HTTP header to backend?

Sorry I can't give concrete answers - I don't have a system set up to test this on right now.