Symptom:

In GoAnywhere Services Logs (HTTPS, SFTP) - The 'Remote IP Address' is not the end-user IP address, for example:

That Address is the IP Address of the customer's NLB component (F5, Netscaler etc...) or Firewall NAT address



Cause:

This issue is caused by the way network devices operate and see each-other. Since most Firewalls and/or NLBs will do an Address Translation (NAT), the MFT server will see the NAT address and not the actual IP of the user



Solution:

To handle the above cases in web flows, a X-Forwarded-For header was introduced. The network equipment that is doing the NAT must support XFFotherwise this will not work.

The support for the X-Forward-For header needs to be manually configured on the MFT.

Notice: this capability is supported in versions 6.4.1 and above!


1. Navigate to the installation directory of GoAnywhere MFT and edit the [installDir]/config/system.properties file

2. Add the following to the bottom of the file:

#X-Forward-For support

com.linoma.webClient.xff.proxyPattern=<1st Segment of the IP Address>\\.<2nd Segment of the IP Address>\\.<3rd Segment of the IP Address>\\.<4th Segment of the IP Address>


For example:

  • Specific IP:
    com.linoma.webClient.xff.proxyPattern=192\\.168\\.25\\.1
  • All IPs in the 192.168.0.0 network:
    com.linoma.webClient.xff.proxyPattern=192\\.168\\.\\d{1,3}\\.\\d{1,3} 


4. Restart the GoAnywhere service

5. Verify that in new end-user connections logs - The 'Remote IP Address' is  the end-user IP address, for example: