It would be so very nice if the IN and INSSL gateways (and PS8) would preserve the source IP of the packets (rather than having to add headers and then parse the headers). It would make configuration of server software, log analyzers, firewalls and practically everything MUCH easier, allowing me to use (and trust) the default configurations in most cases.

For example, I recently setup a Zimbra server on our grid and of course Zimbra by default will relay messages from the LAN, thinking LAN machines can be trusted, but the IN appliance makes outside IP traffic look like local traffic, so Zimbra happily relayed spam coming from outside spammers. So basically the default Zimbra install will function as an open relay! Luckily I noticed this within a few days of setup and was able to fix it before we appeared on the DNSBLs (knock on wood, so far we have not appeared on any).

This would seem to be a natural extension of the virtualization of gateways and routable IPs.

I don't really know much about how to actually do this, so I am offering this as a suggestion for future versions of the gateway and port switch appliances. At the very least a check box to enable this behavior, if it wasn't the default, would be cool. :)

I appreciate the enhanced security provided by isolating the server VM (by the VLAN) from the Internet and so this is something that would not be default behavior, but rather an option to enable.

Jody -- we'll look at an option to do this. Note that this will disable the possibility of connecting multiple outputs to the same input, because the input wouldn't know which way to return the traffic (or we need to designate one of the connections as "default" and know that all traffic with external IPs has to be forwarded back through it).

Regards,
-- Peter

This is important to us as well. Many of our customers' applications are hardwired to look at the source IP address, and they cannot successfully implement with the default gateways.

Got it, load and clear!

-- Peter