Forum Discussion
shashe
Cirrus
CirrusDevice posture check without F5 Access guard
Can I implement device posture check on APM for remote VPN users without having to deploy an additional software like F5 access guard? I am wondering if the edgeclient software can collect the endpoint info and pass it over to the APM for the initial auth req? I am not looking to check posture in realtime or per-req.
Thank you.
Hi shashe - some solid questions. I got rid of the spammer who replied to your post. I think James_Jinwon_Lee could answer your questions if nobody else chimes in.
- James_Jinwon_Lee
Employee
shashe APM also can collect limited device information from HTTP headers without additional S/W installation. However, if you need to collect detailed device information from the client, SW installation is required.
shasheJames_Jinwon_Lee Thanks for your response. can you please detail the information it collects? What device posture checks can I enforce without the need for additional s/w clients. We have a combination of MAC,windows, android and iphones.
Thanks.
- Nikoolayy1
MVP
Access Guard is for Per Reguest checks as the F5 Edge Client VPN agent is for session checks. As the F5 Edge client is like a browser it uses helper apps to check your device so I think that the client side checks will work even with clientless VPN/SSL VPN without Edge Client agent installed but I can't confirm like 100% but I think this is how it works:
https://community.f5.com/t5/technical-articles/creating-a-ssl-vpn-using-f5-full-webtop/ta-p/286314
https://support.f5.com/csp/article/K08285295
MaricelaOrtizNimbostratus
I'm not knowledgeable about it. However, I will let you know if I learn anything.
- Nikoolayy1
If you managed to get the needed answers, please flag the question as answered.
- shashe
I tested this with Fatclient but without Access Guard app. It works well with just fat client. In short: the fat client is enough to make these endpoint checks.
- Nikoolayy1
Yup, so I remembered correctly 🙂 . For session checks there is no need for Access Guard app. In the future if you decide to go zero-trust then Access Guard will be needed for per-request checks like shown in https://community.f5.com/t5/technical-articles/zero-trust-access-with-f5-identity-aware-proxy-and-crowdstrike/ta-p/292615 .
If you decidem you can mark the question as answered.
