Forum Discussion

Nimbostratus

Jan 15, 2018

Always connected VPN based on user type

Hello, If the computer running the "always connected" VPN has two different users, one local and another user belonging to the corporate domain. Is it possible to trigger the "always connected" ...

always connected

BIG-IP Access Policy Manager (APM)

security

Ryan77777

Altocumulus

Jan 18, 2018

I'm not aware of a way to do so with built-in F5 functions... but thinking creatively, you could use a combination of logon/logoff scripts in Active Directory (think GPO) and DNS resolution.

Create a logon script for the domain user(s) that adds an entry to the local hosts file ( and resolve it to whatever - 127.0.0.99). When the user logs off, have the logoff script remove that local hosts file entry.

Then on the F5, create a Connectivity Profile that builds the tunnel when resolves to the IP you specified above. In theory, when a domain user logs in, the VPN will be established. When a local user logs in, it will not. This is due to the availability of the name resolution.

Access -> Connectivity / VPN -> Connectivity -> Profiles -> [vpn profile name] -> Edit Profile _> Win/Mac Edge Client -> Location DNS List

There are other concerns here (such as if the user doesn't log off properly - but if it's not a security concern, it's just user training in all likelihood).

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)