How is actual Client IP determined for Network location detection, when traffic from both internal and external Clients is routed through a Proxy?
This is important when Clients access the Cloud Workspace through a Proxy, irrespective of Client's location - inside or outside corporate network. Workspace service should be able to detect the Client's correct location and allow direct connection to VDAs when Client is inside the corporate network, and route through Gateway service and Cloud Connectors when Client is outside the corporate network.
Network location should be created with Internal tag for the corporate Egress IP range as suggested here - Direct Workload Connection | Citrix Workspace.
If all traffic is routed via an external Proxy, the source IP range will always be the same irrespective of the actual Client's location. In such a case Proxy should be configured to add the XFF (X-Forwarded-For) header, which adds the Client's Public IP in the header. This IP will either be the ISPs IP when Client is outside the corporate network, or the Egress IP when Client is inside the corporate network. Workspace platform is designed to use the XFF header to determine the Client IP, and use the Source IP as the Client IP only if the XFF header is not present. By adding the XFF header, Workspace service can choose the desired Client IP and check it against the Network Location service database to check for the location tag, if it is Internal.