Send original client IP to DCs

Question

Hi Can someone please tell me how to send source IP in AD requests to back end Domain controllers? We have DCs load balanced on bigip. When a AD request leave the LTM it takes the LTM self IP & hits the domain controller thats the default behaviour & on domain controller ltm self ip is logged for incoming request as the authentication request is originated from ltm. Now we have the requirement to log actual client IP on backend domain controllers so actual client ip could be logged on DCs. Can someone tell me how can we do that with i-rule or something else ?

hamish · Answer

You'd be better off asking (Or supplying), what information in an LDAP request can AD log? I'm not an AD expert...&nbsp;
If the AD logs are limited to only having the IP connections srcip in them, then your only option is to NOT SNAT themIf the AD can be convinced to log the address extracted from TCP Option 28 headers, then you can stuff the original IP in option28 and do that. Here's an article from Jason Rham on how to do the BigIP side of it (From back in 2011) 
Accessing TCP OptionsIf AD can be convinced to log some other random piece of info in the LDAP query, you could try adding that to the query, on the fly... That's probably not an option for the faint hearted. But it'd be an interesting challenge.

Forum Discussion

Send original client IP to DCs

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

F5 Distributed Cloud Origin Server Subset Rules

F5 Distributed Cloud - Mitigation for Cross Tenant Origin Exposure (CTOE)

The TCP Send Buffer, In-Depth

Send OTP via sendgrid(email) API

iRule based RADIUS Client Stack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS