For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

raj_bjs77's avatar
raj_bjs77
Icon for Nimbostratus rankNimbostratus
Dec 13, 2018

F5 and ADFS server as passthough setup with client IP in logs

we have F5 and ADFS server as passthrough. I have SNAT enabled and no x-forwarder-for I want to see the source client ip in the ADFS server logs. If i enable x-forwared-for and disable snat, the adfs service breaks. What is the way to get the client IP in the ADFS server logs

 

I dont want to use ADFS proxy as of now.

 

application delivery
iRules
LTM

3 Replies

  • AceDawg1's avatar
    AceDawg1
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2018

    Good afternoon,

     

    Are you terminating SSL at the F5 for this VIP? If not, then inserting any HTTP parameters into the traffic stream will break the connection.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Dec 13, 2018

    Terminating SSL on the F5 will not work, as some Microsoft/ADFS services use client-side certificates in their call backs, and F5 cannot pass these certificates via the conventional server-side SSL functionality.

     

    There is the Client Certificate Constrained Delegation (C3D) in 13.1 (see Kevin's answer in https://devcentral.f5.com/questions/f5-httpd-and-mod-jk-and-tomcat-full-https-61690 ) that one can use, but one has to know all about the ADFS services before starting anything.

     

    Additionally, all these client-side certificates are changed/replaced regularly, a bit of headache for operation.

     

    Without SSL termination, the F5 HTTP functionality is just not available for use.