Send original client IP to DCs

Question

Hi Can someone please tell me how to send source IP in AD requests to back end Domain controllers? We have DCs load balanced on bigip. When a AD request leave the LTM it takes the LTM self IP & hits the domain controller thats the default behaviour & on domain controller ltm self ip is logged for incoming request as the authentication request is originated from ltm. Now we have the requirement to log actual client IP on backend domain controllers so actual client ip could be logged on DCs. Can someone tell me how can we do that with i-rule or something else ?

hamish · Answer

You'd be better off asking (Or supplying), what information in an LDAP request can AD log? I'm not an AD expert...&nbsp;
If the AD logs are limited to only having the IP connections srcip in them, then your only option is to NOT SNAT themIf the AD can be convinced to log the address extracted from TCP Option 28 headers, then you can stuff the original IP in option28 and do that. Here's an article from Jason Rham on how to do the BigIP side of it (From back in 2011) 
Accessing TCP OptionsIf AD can be convinced to log some other random piece of info in the LDAP query, you could try adding that to the query, on the fly... That's probably not an option for the faint hearted. But it'd be an interesting challenge.

Forum Discussion

Send original client IP to DCs

1 Reply

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Enhance your Application Security using Client-side signals

send Request Logging through Management IP

How I did it – Configure F5 Distributed Cloud to Send Alert Notifications to PagerDuty

Four score and seven years ago... a laptop origin story 📖‌

iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)