For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Feb 19, 2015

Edge Client connection at Windows Logoff

We are migrating our employees to the Edge Client as our VPN solution for our corporate Windows laptops. When the employee needs to connect he manually launches the Edge Client and hits connect. They are used to this from the previous VPN client so no challenges here.

 

The issue we have is when the user has a problem and contacts the help desk. Often the agent will remote control the laptop with Dameware and for some problems the agent will log off the user and log back into the windows domain with an account that has admin privelages. This is necessary for some things such as deleting a corrupted windows user profile. With our previous IPSec based VPN solution, the tunnel would stay up during the logoff/logon process. With the Edge Client, this is not the case. Once you log off the tunnel drops. We have investigated solutions such a local accounts, etc. but this is not feasible. I need a way to keep the tunnel alive even if the user logs off Windows.

 

It sounds like I need the functionality that you get with Dialup Entry / Windows Logon Integration: “This dialup networking entry allows users to connect to the secure access connection from the Windows logon prompt, even before they log on to the local computer. One feature this option allows is that a user can authenticate to the corporate network before the user logs on to his computer.” Would this solve my problem? If so it does sound like it would change the logon process which I really do not want to do. Is there a way to dynamically change the logon process? For example, the help desk agent could do a run as administrator to modify the startup sequence of the laptop. Could putting something like “C:\Program Files\F5 VPN\f5fpclientW.exe /autolaunch” in the autoexec.bat (or whatever windows uses) solve this problem? It would be acceptable to have the employee reboot with this new config, connect and then have the agent remote control the computer so that he could do what needs to be done.

 

I absolutely need this functionality and keeping the old VPN solution around just for support is not very appealing.

 

Thoughts?

 

APM 11.5.1 HF 7

 

BIG-IP Access Policy Manager (APM)
security