For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bryan_T_'s avatar
Bryan_T_
Icon for Cirrus rankCirrus
Sep 01, 2020

Load-balancing Active Directory - How to preserve Source IP

I'm load-balancing active directory port 389 and it's working great. The only issue is sometimes clients connect to the VIP and lockout the AD service-accounts. When they look at the domain-controlle...
application delivery
BIG-IP
iRules
  • Bryan_T_'s avatar
    Bryan_T_
    Icon for Cirrus rankCirrus
    Sep 02, 2020

    Thanks. That is interesting but doesn't really help in a practical sense as you won't be able to correlate the source ip with the BIND request that actually locked out the account.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for Noctilucent rankNoctilucent
      Sep 02, 2020

      Hello Bryan.

       

      It's not possible to inject source IP into an AD request, the same way as with HTTP XFF.

      The only way is to disable automap.

       

      In the link shows an example of how to log AD queries by user/real-IP to an external syslog server. Maybe it's a higher level of complexity than you were looking for, but if you find a way to let AD to check those logs before taking the decission to lockout some user, that would be a way to workaround your issue.

       

      I know it's hard, but sometimes customer requirements are too unrealistic :-).

       

      Regards,

      Dario.