Forum Discussion
Abhishek_Mittal
Nimbostratus
NimbostratusAD DC's behind F5 + SNAT
We have AD DC's behind F5 and we are using SNAT for this setup.
Issue: Domain controller always see SNAT IP as client IP address. DC team are unable to see actual client IP address, if they want...
From the way you ask the question, it is not clear. Do you mean without disabling SNAT? Becuase it seems like disabling SNAT is the best way to see the users ip...
Abhishek_MittalIf we will disable the SNAT, Will it not do Asymmetric routing. As far as I know, SNAT we use in F5 to prevent asymmetric routing. (if F5 and Servers are not in same subnet)
Right, we don't know your network environment. There probably is a way around it. SNAT makes things easy, but quite likely you don't need it if you have control and can plan your environment carefully.
If you don't want to change all your routing tables to actually see the client's ip, then you probably should just use timestamps. Ensure your clock is the same and you can probably figure out the user from the logs. You could also try to embed something in the packets sent to the DC, but you'd also have to configure the DC to strip and log that information. You could do the F5 part easily with irules, but the rest would be up to your server configuration team.
I'm not sure of what kind of "troubleshooting" they "can't do", but it seems like you might have to work in concert with them to identify the clients as the ip alone is not enough.
- Abhishek_Mittal
Issue is one of the account is getting locked out, but they are unable to find the source IP for that locked out. as on DC they see only SNAT IP each and every time.