We have a pair of Cisco's AXG web application firewalls that protect our internet-facing servers in a reverse-proxy fashion.
One problem we have is the servers can only see the WAF's IP's instead of the end users'.
Cisco TAC & SE's have confirmed there's no way around that until the next code release, which is targeted at Q1 2010.
There's an option to include the end users' IP's in the X_FORWARDED_FOR header within WAF.
However, we need to find a way to copy that IP from the XFF header into the REMOTE_ADDR header.
If anyone knows how that can be done, please let me know.