For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Julio_Medina's avatar
Julio_Medina
Icon for Nimbostratus rankNimbostratus
Aug 23, 2017

Send Client-IP to LDAP Server, not same subnet.

Hi,   I have a Virtual Server balancing to a couple of LDAP Servers, my question is, how can I send the client-IP to the LDAP Server considering that LDAP Server and Big-IP are in separate subnets...
application delivery
BIG-IP
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 24, 2017

Hi Julio Medina,

 

you would need to implement Policy-Based-Routings (PBRs) to overwrite your routing infrastructure on the path between your LDAP servers and your F5. The mission of the PBR setup would be to forward every response from SRC_IP=YOUR_LDAP_SERVERS:389/636 to DST_IP=ANY:ANY always to your F5. After PBR is implemented you could remove SNAT on your Virtual Servers so that the LDAP Servers will see the original client IP again.

 

Note: PBRs are Routing-Tables overwrites, which can by used to capture traffic by providing a network based ACL and then forward any matching traffic to a given next-hop interface, MAC or IP. The difference to a regular Routing-Tables is that you can also use SRC_IPs, protocol and/or port information to choose the next-hop / gateway...

 

Cheers, Kai