For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ashu_2116's avatar
Ashu_2116
Icon for Nimbostratus rankNimbostratus
Jan 24, 2019

Send original client IP to DCs

Hi Can someone please tell me how to send source IP in AD requests to back end Domain controllers? We have DCs load balanced on bigip. When a AD request leave the LTM it takes the LTM self IP & hits ...
application delivery
iRules
LTM
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jan 24, 2019

You'd be better off asking (Or supplying), what information in an LDAP request can AD log? I'm not an AD expert...

 

  • If the AD logs are limited to only having the IP connections srcip in them, then your only option is to NOT SNAT them
  • If the AD can be convinced to log the address extracted from TCP Option 28 headers, then you can stuff the original IP in option28 and do that. Here's an article from Jason Rham on how to do the BigIP side of it (From back in 2011) Accessing TCP Options
  • If AD can be convinced to log some other random piece of info in the LDAP query, you could try adding that to the query, on the fly... That's probably not an option for the faint hearted. But it'd be an interesting challenge.