Forum Discussion

Patrice9078's avatar
Patrice9078
Icon for Nimbostratus rankNimbostratus
Mar 24, 2020

VPN BIG-IP Edge client : firewall rules applied by BIG-IP Edge Client

We have established a VPN connection between a Windows client and a BIG-IP v15.

We are using BIG_IP Edge client, with network access.

 

According to table 3.5 in this document : https://support.f5.com/csp/article/K49720803#link_05_04

when "always connected" mode is enabled, BIG-IP edge client applies firewall rules.

Is there any other feature that allow BIG-IP edge client to apply firewall rules ?

What kind of rules are applied ?

  • Yes, the BIG-IP APM system applies firewall rules (ACLs) for other types of VPN connections that do not use "always connected mode" (as part of the customized BIG-IP Edge Client download). You can configure this by applying ACL resources in the access policy for the VPN connection. However, this does not apply ACLs to the client device when the NA/VPN is not established. Please note that this functionality is unique to the "always connected" feature of the customizable Edge Client download package.

  • Thank you for your answer.

    With "always connected mode", we can choose the following option : "block all traffic when VPN is disconnected".

    According to your answer, the traffic is blocked thanks to ACLs. Can we specify exceptions by adding ACLs ?

    Can we enable "allow local subnet" with "always connected mode & block all traffic" when VPN is disconnected ?

  • When creating the "Customize Windows Package".

    When logged on to the BIG-IP APM GUI go to:

    Access > Connectivity / VPN > Connectivity > Profiles.

    Select the profile for your "always connected mode".

    Click Customize Package.

    Select BIG-IP Edge Client

    Under Exclusions List click Add.

     

    Per the help section:

    Exclusions list The Exclusions list specifies addresses that are accessible when Block mode is configured. You can specify up to ten addresses. Addresses can be IPv4 addresses, IPv4 address:port pairs, or fully qualified domain names.

     

    If you are looking for a broader access for clients when they are disconnected from the VPN, you may want to consider using Allow-Only-In-Enterprise-LAN.

     

    Per the help section: Allow-Only-In-Enterprise-LAN - In this mode, traffic in the local network is allowed when the VPN is not connected. The local network is determined by configuring the Location DNS List in the Connectivity Profile.

     

    Once the is configure the package will need to be downloaded and installed on the client device.

     

    Hope that helps.

     

  • Thank you. It helps and raises the following question : what is the difference between "allow-only-in-entreprise-LAN" and "allow local subnet" ?