The usual setup is that you have a front-end reverse proxy or load balancer sitting on a public network that forwards requests to back-end SapphireIMS server instances located in a private network. There is some extra configuration you have to do in this scenario so that the actual client IP address is forwarded to and processed by the SapphireIMS server instances. Specifically using Non-Transparent mode at layer-7:
- Configure your reverse proxy or load balancer to properly set X-Forwarded-For and X-Forwarded-Proto HTTP headers.
- Configure your reverse proxy or loadbalancer to preserve the original ‘Host’ HTTP header.
- Configure the SapphreIMS server to read the client’s IP address from X-Forwarded-For header.
While #1 and #2 is beyond the scope of SapphireIMS team and has to be handled who maintains this setups, for #3, we should configure setting ‘proxy-address-forwarding=“true”’ in ‘http-listener’ section in the file ’ standalone.xml ’ which is present in ’ SapphireIMS\WebManagement\standalone\configuration ’ folder
You can also achieve using Transparent mode and following are the details -
- Preserves the source IP address
- Works with Layer 4 (L4) and L7
- Cannot browse from the same subnet as the Real Servers( application servers). Of-course this can be solved using another subnet connected to LB and moving back end servers to the new subnet which is two-armed configuration.
- The default gateway must be the load balancer
- Cannot have non-local Real Servers
- Cannot use with SSL re-encryption
Where as in Non-Transparent mode, following holds good -
- Can browse from the same subnet as the Real Server
- No need to change the default gateway
- The source IP address is not preserved (but X-Forwarded-For header can be used)
- Only available for L7