Nimbostratus
Cirrostratus
Sorry, I had a couple of typos and a logic error in the example I posted. I changed the 'if' to 'while' and removed a couple of extraneous braces. The edited version above should work (Click here) for removing any existing XFF headers and inserting a new one.
The caveat to this approach is that I don't think the DLL posted on Devcentral to log the XFF value will allow IIS to parse the XFF header value for authentication. I think the DLL only affects logging. I was suggesting that you might need to implement the authentication in the application. Or perhaps there is an existing DLL (or one you could create) which parses the XFF header value for authentication. However, I don't think IIS parses the HTTP headers before it checks the source IP address for authentication.
If you want to use IIS IP-based authentication, I think you'll need to disable SNAT and set the default gateway on the IIS servers to the BIG-IP. If that's not an option, you could either implement the authentication within the application or on the BIG-IP using an iRule and datagroups. The last approach could be relatively simple. You'd need to create an address datagroup containing your allowed hosts/networks. You could also create a datagroup which lists allowed paths. Then in the HTTP_REQUEST event, you could check whether the client IP matches the hosts/networks datagroup and that the requested path is allowed.
Aaron