Preserve client IP and client certificate with SharePoint

Question

Using x-forwarded-for preserves the client IP but interferes with Common Access Card (CAC) authentication when using AUTOmap with a Standard vs.  We have switched to nPath routing for generic application servers to preserve both client IP and client certificate.  How or can we preserve both the source IP and client certificate for a Sharepoint application server (2010 and 2016)? Unfortunately an inline configuration is out of the question. Look forward to suggestions or recommended reading. &nbsp;
Sharepoint:&nbsp;
Client  (ip, CAC) &lt;--&gt;  LTM/VIP/pool  &lt;--&gt; Real Servers (CAC authentication)&nbsp;
nPath:&nbsp;
Client (ip, CAC) --&gt;   LTM/VIP/pool   --&gt; Real Servers (ip, CAC authentication)
    data returns to client via router &nbsp;

youssef1 · Answer

Hi,&nbsp;
the only way to provide the actual IP of the client is to switch to npath or put the F5 as GW for sharepoint servers.&nbsp;
If you set F5 as GW of your sharepoint server it can work but it's like inline...&nbsp;
For preserving CAC you have multiple choice:&nbsp;
you can swith your ssl termination on SharepointSSL proxy.Authenticate user on F5 side then uses Client Certificate Constrained Delegation (C3D) to support complete end-to-end encryption when interception of SSL traffic in a reverse proxy environment is required and when client certificates are used for mutual authentication.
Hope it will help you.&nbsp;

Forum Discussion

Preserve client IP and client certificate with SharePoint

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

APM Sharepoint authentication

My Security+ Certification Journey