Forum Discussion
Edge Client (or Windows, really) was not designed for per-user L3-ish network isolation in this way. It's designed for individual Windows client PCs, not servers or RDS type sessions. It appears that AVD operates similarly to RDS, where users are all attached to the same network stack.
Microsoft seems to have a similar recommendation:
https://learn.microsoft.com/en-us/answers/questions/769421/vpn-clients-on-avd
Can you explain in more detail what you're trying to do with the VPN client? We can maybe offer alternative solutions such as configuring the BIG-IP to be an explicit proxy server and using windows per-user L5-ish HTTP proxy settings.
Hi Lucas,
Thank you so much for your prompt and detailed response. I really appreciate the insights you’ve provided.
To give you more context, our company specializes in software development. As part of a broader project to modernize our IT infrastructure, we are planning a gradual migration to a fully cloud-based architecture built on Azure. This includes migrating our developers' workstations to an Azure Virtual Desktop (AVD) configuration.
Our developers frequently need to connect to our clients' private networks to deploy new software versions or provide support. Among our clients, some use BIG-IP to manage their network security. As a result, we need to use the BIG-IP Edge Client to connect to their networks. These are environments over which we have no control, so our only option is to use this solution to access their networks.
We are currently in a phase of the project where we are verifying all compatibility aspects, and my question in this forum was aimed at performing a preliminary feasibility check for this specific scenario.
Your advice to conduct thorough testing in a lab environment is invaluable, and we plan to follow that recommendation. If there’s any additional guidance or considerations we should keep in mind, especially given this context, we would be grateful.
Thank you again for your assistance!
Best regards,
Luca
---
Questa risposta fornisce le informazioni richieste e mantiene un tono professionale e cortese.
- Lucas_ThompsonAug 21, 2024Employee
Super. This makes sense.
I think we have a pretty good argument in that Microsoft post that they don't recommend VPN clients in that environment. There seem to be the same kind of recommendations about Cisco Anyconnect, which uses similar architecture.
Another speculative consideration is that with both Edge Client and Cisco Anyconnect, we/they offer integration with a client-side security library called OPSWAT. This requires admin-level privileges on the workstation, and probably won't run correctly with user-permissions on a multi-session host like AVD or RDS.
Overall this sounds like a tough situation to work out. On the one hand the security provided by AVD is highly useful, but on the other it doesn't offer quite as much capability as a full Windows VM with an independent network stack.
- lalbertiAug 23, 2024Altostratus
Hi Lucas,
Thank you so much for your thorough explanation and for helping me see the full picture. It’s becoming clear that achieving this with our current setup might be more of a "mission impossible" than I originally anticipated—so thanks for making that crystal clear!
What you mentioned about using a full Windows VM with an independent network stack really got me thinking. It could be a practical workaround for us. I’m considering setting up a dedicated Windows machine specifically for those occasional tasks that require the VPN. Since these activities aren't constant, I think this solution might work well without needing continuous concurrent access.
I’ll definitely look into this further. Your advice has been incredibly helpful, and I appreciate you taking the time to share it!
Thanks again,
Luca