Forcing MFA to Get to Other Internal Resources With no VPN Tunnel

I have been given a task to provide a front end for system admins that want to rdp or ssh to servers in a secure server room. Up until now they have just connected directly to the server and logged in with their admin credentials.

 

The powers that be have requested that these users now use multi-factor authentication to connect to any server in the secure room. They have asked that we use our existing F5 setup and use APM to present users with a login page.

 

Would the best way to do this be using APM to give users a login page (AD and RSA logins) and then use a split tunnel setup with SNAT to have all traffic go through the F5 to the servers with ACLs limiting the ports that can be used in the connection?

 

What other options would I have with F5? Could an App tunnel help me here? I know the admins all use different apps for ssh access, but they should all be using MS RDP software for their RDP sessions.

 

Thanks for any suggestions that can be given!