Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

raj_bjs77's avatar
raj_bjs77
Icon for Nimbostratus rankNimbostratus
Dec 13, 2018

F5 and ADFS server as passthough setup with client IP in logs

we have F5 and ADFS server as passthrough. I have SNAT enabled and no x-forwarder-for I want to see the source client ip in the ADFS server logs. If i enable x-forwared-for and disable snat, the adfs...
application delivery
irules
LTM
JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Dec 13, 2018

Terminating SSL on the F5 will not work, as some Microsoft/ADFS services use client-side certificates in their call backs, and F5 cannot pass these certificates via the conventional server-side SSL functionality.

 

There is the Client Certificate Constrained Delegation (C3D) in 13.1 (see Kevin's answer in https://devcentral.f5.com/questions/f5-httpd-and-mod-jk-and-tomcat-full-https-61690 ) that one can use, but one has to know all about the ADFS services before starting anything.

 

Additionally, all these client-side certificates are changed/replaced regularly, a bit of headache for operation.

 

Without SSL termination, the F5 HTTP functionality is just not available for use.