Forum Discussion
NimbostratusF5 and ADFS server as passthough setup with client IP in logs
we have F5 and ADFS server as passthrough. I have SNAT enabled and no x-forwarder-for I want to see the source client ip in the ADFS server logs. If i enable x-forwared-for and disable snat, the adfs service breaks. What is the way to get the client IP in the ADFS server logs
I dont want to use ADFS proxy as of now.
AceDawg1Good afternoon,
Are you terminating SSL at the F5 for this VIP? If not, then inserting any HTTP parameters into the traffic stream will break the connection.
- AceDawg1
If you are not terminating SSL at the F5, then any HTTP parameter will break the connection.
Refer to the following DevCentral article for details:
https://devcentral.f5.com/questions/http-profile-breaking-https-49615
JGCumulonimbus
Terminating SSL on the F5 will not work, as some Microsoft/ADFS services use client-side certificates in their call backs, and F5 cannot pass these certificates via the conventional server-side SSL functionality.
There is the Client Certificate Constrained Delegation (C3D) in 13.1 (see Kevin's answer in https://devcentral.f5.com/questions/f5-httpd-and-mod-jk-and-tomcat-full-https-61690 ) that one can use, but one has to know all about the ADFS services before starting anything.
Additionally, all these client-side certificates are changed/replaced regularly, a bit of headache for operation.
Without SSL termination, the F5 HTTP functionality is just not available for use.