Forum Discussion
VPN BIG-IP Edge client : firewall rules applied by BIG-IP Edge Client
We have established a VPN connection between a Windows client and a BIG-IP v15.
We are using BIG_IP Edge client, with network access.
According to table 3.5 in this document : https://support.f5.com/csp/article/K49720803#link_05_04
when "always connected" mode is enabled, BIG-IP edge client applies firewall rules.
Is there any other feature that allow BIG-IP edge client to apply firewall rules ?
What kind of rules are applied ?
- Kurt_EricksonEmployee
Yes, the BIG-IP APM system applies firewall rules (ACLs) for other types of VPN connections that do not use "always connected mode" (as part of the customized BIG-IP Edge Client download). You can configure this by applying ACL resources in the access policy for the VPN connection. However, this does not apply ACLs to the client device when the NA/VPN is not established. Please note that this functionality is unique to the "always connected" feature of the customizable Edge Client download package.
- Patrice9078Nimbostratus
Thank you for your answer.
With "always connected mode", we can choose the following option : "block all traffic when VPN is disconnected".
According to your answer, the traffic is blocked thanks to ACLs. Can we specify exceptions by adding ACLs ?
Can we enable "allow local subnet" with "always connected mode & block all traffic" when VPN is disconnected ?
- Kurt_EricksonEmployee
When creating the "Customize Windows Package".
When logged on to the BIG-IP APM GUI go to:
Access > Connectivity / VPN > Connectivity > Profiles.
Select the profile for your "always connected mode".
Click Customize Package.
Select BIG-IP Edge Client
Under Exclusions List click Add.
Per the help section:
Exclusions list The Exclusions list specifies addresses that are accessible when Block mode is configured. You can specify up to ten addresses. Addresses can be IPv4 addresses, IPv4 address:port pairs, or fully qualified domain names.
If you are looking for a broader access for clients when they are disconnected from the VPN, you may want to consider using Allow-Only-In-Enterprise-LAN.
Per the help section: Allow-Only-In-Enterprise-LAN - In this mode, traffic in the local network is allowed when the VPN is not connected. The local network is determined by configuring the Location DNS List in the Connectivity Profile.
Once the is configure the package will need to be downloaded and installed on the client device.
Hope that helps.
- Patrice9078Nimbostratus
Thank you. It helps and raises the following question : what is the difference between "allow-only-in-entreprise-LAN" and "allow local subnet" ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com