Forum Discussion

Nimbostratus

Dec 13, 2018

F5 and ADFS server as passthough setup with client IP in logs

we have F5 and ADFS server as passthrough. I have SNAT enabled and no x-forwarder-for I want to see the source client ip in the ADFS server logs. If i enable x-forwared-for and disable snat, the adfs...

application delivery

iRules

LTM

Cumulonimbus

Dec 13, 2018

Terminating SSL on the F5 will not work, as some Microsoft/ADFS services use client-side certificates in their call backs, and F5 cannot pass these certificates via the conventional server-side SSL functionality.

There is the Client Certificate Constrained Delegation (C3D) in 13.1 (see Kevin's answer in https://devcentral.f5.com/questions/f5-httpd-and-mod-jk-and-tomcat-full-https-61690 ) that one can use, but one has to know all about the ADFS services before starting anything.

Additionally, all these client-side certificates are changed/replaced regularly, a bit of headache for operation.

Without SSL termination, the F5 HTTP functionality is just not available for use.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)