To resolve the issue, first get the list of IP addresses listed in the XFF header by using the clientipresolutioninfo REST API and check the response. If it returns the IP address of the load balancer or VMware Identity Manager service node, then set the service.ipsToIgnoreInXffHeader property in the runtime-config.properties file to filter out the unwanted IP addresses.

To get the list of IP addresses in the XFF header, use a REST client such as Postman to run the following REST API while logged in to the VMware Identity Manager service as the tenant administrator:

Method: GET

Path: /clientipresolutioninfo

Response Media Type: application/vnd.vmware.horizon.manager.clientipresolutionconfig+json

Sample JSON response:

{
“xffHeaderIpList":["10.112.68.252”], // the IPs part of XFF header
"numberOfLoadBalancers”:0, // number of load balancers configured in runtime-config.properties
"configuredIpToIgnoreList":"10.112.68.255”, // the list of ips or subnets to ignore as configured in runtime-config.properties
"clientIpDetermined":"10.112.68.252”, // the client IP determined to be used finally for login/access policy
"_links":{}
}

From the output, determine which IP addresses are not needed, then edit the runtime-config.properties file to filter them out.

1. Log in to the VMware Identity Manager virtual appliance.
2. Edit the /usr/local/horizon/conf/runtime-config.properties file and add the following property:

   service.ipsToIgnoreInXffHeader IPsToIgnore

   where IPsToIgnore is a comma-separated list of IP addresses to ignore in the XFF header.

3. Restart the service.

   service horizon-workspace restart