Forum Discussion

aaperson_255899's avatar
aaperson_255899
Icon for Nimbostratus rankNimbostratus
Mar 20, 2019

Preserve client IP and client certificate with SharePoint

Using x-forwarded-for preserves the client IP but interferes with Common Access Card (CAC) authentication when using AUTOmap with a Standard vs. We have switched to nPath routing for generic application servers to preserve both client IP and client certificate. How or can we preserve both the source IP and client certificate for a Sharepoint application server (2010 and 2016)? Unfortunately an inline configuration is out of the question. Look forward to suggestions or recommended reading.

 

Sharepoint:

 

Client (ip, CAC) <--> LTM/VIP/pool <--> Real Servers (CAC authentication)

 

nPath:

 

Client (ip, CAC) --> LTM/VIP/pool --> Real Servers (ip, CAC authentication) data returns to client via router

 

  • Hi,

     

    the only way to provide the actual IP of the client is to switch to npath or put the F5 as GW for sharepoint servers.

     

    If you set F5 as GW of your sharepoint server it can work but it's like inline...

     

    For preserving CAC you have multiple choice:

     

    • you can swith your ssl termination on Sharepoint
    • SSL proxy.
    • Authenticate user on F5 side then uses Client Certificate Constrained Delegation (C3D) to support complete end-to-end encryption when interception of SSL traffic in a reverse proxy environment is required and when client certificates are used for mutual authentication.

    Hope it will help you.