Hello evrybody, some of our customers make heavy use of the Clientless VPN feature of the GlobalProtect Portal, and one of the most used application this time is the Apache Guacamole remote desktop gateway (https://guacamole.apache.org/). The GP Portal is configured to show the icon of this app and clicking on the app, of course, the remote users access the web server (NGINX in reverse proxy mode) through which the application is served. As you know, when using the clientless feature, all the requests made by the remote clients are proxied by the firewall, so from the application server's point of view all the connections originate from the same IP address (the IP of the firewall interface facing the application). This is working very fine for us but, with the ever growing number of remote users, a single Guacamole server is no more enough to manage all the necessary concurrent connections. So we need to add more Guacamole servers and put those servers behind a load-balancer (i.e. HAProxy or NGINX itself). In this fashion, the clientless app on the GP Portal is configured to point to the load balancer address instead of the address of the Guacamole server. The problem is: how can we load balance and ensure stickiness of the connections if all the user requests are coming form the firewall IP address? I already asked to the customer support to know if the firewall can inject an XFF in the HTTP requests, but it's not possible. Any idea?
... View more