You must set the Real Server to route return traffic to the MOVEit WAF interface because transparency is set for the Virtual Services. Routing tables are required to achieve this.

A user-defined route must be configured with the Next hop type set to Virtual appliance. The Next hop address should then be set to the IP address of MOVEit WAF. The CIDR range 0.0.0.0/0 should be used to force all traffic to return through MOVEit WAF.

For further help, refer to Microsoft Azure's full documentation on user-defined routes.

If you are seeing the following scenario:

  • With transparency disabled, MOVEit WAF sends traffic to a healthy Real Server as normal and the Real Server responds.
  • With transparency enabled, MOVEit WAF sends traffic to a healthy Real Server as normal. However, no traffic is seen on the Real Server.

This is because of the IP forwarding setting in Azure.

For further information on IP forwarding in Azure, refer to the following Microsoft content: Enable or disable IP forwarding.

You can find this in the Azure portal by going to: Home > <MOVEit WAF> > Networking > <VLM NIC/Interface> > IP configurations.

Set IP forwarding to Enabled.

This change must be made on the interface that is on the same subnet as the Real Server.