For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Abhishek_Mittal's avatar
Abhishek_Mittal
Icon for Nimbostratus rankNimbostratus
Sep 13, 2016

AD DC's behind F5 + SNAT

We have AD DC's behind F5 and we are using SNAT for this setup.   Issue: Domain controller always see SNAT IP as client IP address. DC team are unable to see actual client IP address, if they want...
application delivery
iRules
LTM
Josiah_39459's avatar
Josiah_39459
Historic F5 Account
Sep 13, 2016

From the way you ask the question, it is not clear. Do you mean without disabling SNAT? Becuase it seems like disabling SNAT is the best way to see the users ip...

 

Josiah_39459's avatar
Josiah_39459
Historic F5 Account
Sep 13, 2016

Right, we don't know your network environment. There probably is a way around it. SNAT makes things easy, but quite likely you don't need it if you have control and can plan your environment carefully.

 

If you don't want to change all your routing tables to actually see the client's ip, then you probably should just use timestamps. Ensure your clock is the same and you can probably figure out the user from the logs. You could also try to embed something in the packets sent to the DC, but you'd also have to configure the DC to strip and log that information. You could do the F5 part easily with irules, but the rest would be up to your server configuration team.

 

I'm not sure of what kind of "troubleshooting" they "can't do", but it seems like you might have to work in concert with them to identify the clients as the ip alone is not enough.