Load-balancing Active Directory - How to preserve Source IP

Question

I'm load-balancing active directory port 389 and it's working great. The only issue is sometimes clients connect to the VIP and lockout the AD service-accounts. When they look at the domain-controller logs the admins can't find the source-ip of the client because every request comes from the F5 self-ip (automap). How can the source-ip of the request either be logged or inserted into the AD traffic? If this were HTTP I would use the X-Forwarder-For header, but it's not HTTP.

Thank you

dario_garrido · Answer

Hello Bryan.&nbsp;Check this:https://devcentral.f5.com/s/question/0D51T00007BG1Pc/insert-client-ip-address-on-ldap-vs&nbsp;Regards,Dario.

bryan_t_ · Answer

Thanks. That is interesting but doesn't really help in a practical sense as you won't be able to correlate the source ip with the BIND request that actually locked out the account.

dario_garrido · Answer

Hello Bryan.&nbsp;It's not possible to inject source IP into an AD request, the same way as with HTTP XFF.The only way is to disable automap.&nbsp;In the link shows an example of how to log AD queries by user/real-IP to an external syslog server. Maybe it's a higher level of complexity than you were looking for, but if you find a way to let AD to check those logs before taking the decission to lockout some user, that would be a way to workaround your issue.&nbsp;I know it's hard, but sometimes customer requirements are too unrealistic :-).&nbsp;Regards,Dario.

Forum Discussion

Load-balancing Active Directory - How to preserve Source IP

3 Replies

Recent Discussions

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

NGINXaaS for Azure: Load Balancing

What is Load Balancing?

Load Balancing WebSockets

Transparent Load Balancing in Azure