Forum Discussion

Cirrocumulus

Apr 22, 2021

irule for identifying corporate network..

I am setting up an always on machine tunnel solution using edge client.. but as the dns location isn´t working with the tunnel service I want to create an irule to use in the vpe that would check if ...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

Nikoolayy1

MVP

Apr 22, 2021

EDIT:

Ah for this you don't even need the "ACCESS_POLICY_AGENT_EVENT" event as the EVENT "ACCESS_SESSION_STARTED" will do the job and in that event you can set a session variable like for example "session.vpn.private" and then in the Access policy use as I mentioned an “empty” object with a branch rule or you could just block users in the event "ACCESS_SESSION_STARTED" that are in the corporate network to start the VPN client similarly to what is shown below:

https://clouddocs.f5.com/api/irules/ACCESS_SESSION_STARTED.html

kimhenriksen
Cirrocumulus
Apr 28, 2021
Wouldn´t the subnet match accomplish the same thing ?
- Nikoolayy1
  MVP
  Apr 28, 2021
  Yes I forgot that there is such an agent, so you can test with it. Just be carefull to not hit a bug that I saw it was mentioned:
  
  https://support.f5.com/csp/article/K48423405
- kimhenriksen
  Cirrocumulus
  Apr 28, 2021
  it does work, but it´s kind of .. dumb(not finding other words at the moment hehe) for use in this case as i doesnt take anything else into consideration. the best would be to have a network location server (or something like it), if client can reach it no tunnel.. if it´s not there go ahead and connect.
- Nikoolayy1
  MVP
  Apr 28, 2021
  Have you added the DNS relay proxy service to see if you can use then the DNS autoconnect location awareness toggether with a split tunnel?
  
  https://support.f5.com/csp/article/K72735781