Forum Discussion
AltostratusF5 Access Guard Deprecated: ZTA APM
Since F5 Access Guard is deprecated and not supported on Win 11, newer browsers, and some versions of MacOS, what is the replacement for posture checking when implementing a ZeroTrust architecture using APM as an identify aware proxy?
One major point of ZT is to do continuous posture checking of a client and the requests they are making--each and every one utilizing a per-request policiy. Without this component, it seems like APM is not a great candidate for use.
What are others doing when using APM within their ZT network? Are they using 3rd part solutions with an HTTP connector to evaluate to client/request for each and every request?
3 Replies
- momahdy
Employee
Hi Laser,
I'm working as PME for Access security, and would like to answer the raised queries, I believe the answer can be summarized in the below points,- F5 continues to develop in ZTNA as highlighted here, https://www.f5.com/solutions/use-cases/control-app-access-with-zero-trust , currently HTTP connector can be used to fetch status and apply this to the user traffic on per-request basis.
- For customers using Microsoft Entra ID and Intune, F5 integrates and extends compliance and endpoint checks to network and apps. The enforcement is applied per-identity based on feeds from Microsoft Intune / Entra ID.
- Stay tuned for Next Access and features support releases.
I hope I answered your raised points.
heenakhanam0708Altocumulus
Hello momahdy - So, if we can't use F5 access guard then the implementation of device posture check using subroutines mentioned in this article is also void right? https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/implementing-device-posture-checks.html
Then, to implement this, Should we follow this steps?
Zero Trust Access with F5 Identity Aware Proxy and Crowdstrike Falcon | DevCentral
or let me know if there is any other procedure to implement this?
- momahdy
Hello heenakhanam0708
Yes, Access guard is no longer working, there are still some server side monitoring posture still supported, the non-supported is relying on Access Guard for the continuous monitoring. So, you can implement initla posture check at per-session level if needed at the start of the session, and some server side monitoring on the per-request.
The article you referenced should work if you have CrowdStrike or other 3rd party that perform continuous device posture assessment, then you can rely on HTTP Connector to fetch the status and extend the actions to the passing traffic.
I would recommend testing that with your Account / PS team as the article looks from 2019, just in case any changes to the windows registry keys used or CrowdStrike APIs.
I hope this answers your query.
