Forum Discussion
CirrusHow to pass the client's IP to backend servers for LDAP traffic ?
Hey guys, we have setup several VS for Active Directory (ports 3268, 3269, 389, 636). Behind these VS are our domain controllers. All our workstations and servers are using this "AD VIP" setup for AD authentication. This has been setup a couple of years ago and everything is working fine.
Now I've been asked to put some logging in place in order to troubleshoot account lockout issues. Some users are reporting their user account to be automatically locked out on a regular basis. This is usually because they have hard coded their old password in a scheduled task or something like that. What I need to log is the IP of the machine from which the fail authentication request is coming from in order to know which machine we need to check.
Considering the amount of requests, I not super keen on logging this in the LTM log. All requests are already logged on the DCs anyway. But on the DCs we see them with the IP of the load balancer and not the IP of the client. How could I, for LDAP traffic, pass the client's IP to the DCs? I guess the X-Forwarded option of the HTTP profile doesn't apply in this case?
6 Replies
tatmotivCirrostratus
Is this a one-armed setup that requires SNAT in some form?
Fluidetom_12222SNAT is not configured for these VS
- tatmotiv
In that case, you should already see the original client IP being passed on to the LDAP servers!?
Danny_ArroyoDid you ever get this to work? If so, how did you do it?
- boneyard
MVP
i think the first comment is the important one, are you using Source Address Translation?
- Srini_87152
I believe your configured vip with automap or snat causing the issue? make sure move server behind F5 segment to avoid this as we cant use http profiles AD vip.
Thx
Srini
