Forum Discussion
Edouard
Cirrus
CirrusVPN restrictions to domain computers
Greetings,
Please do you know if there is a way Edge client can restrict VPN access to only domain computers.
Thanks,
Edouard.
- Nikoolayy1
MVP
If you want to check if the computer is a member you can check this post for the use of ad machine sert or Registry Check object https://devcentral.f5.com/s/question/0D51T00006i7Xzw/is-it-possible-to-have-big-ip-apm-portal-access-to-check-computer-membership . The windows team can auto load a reg key or a new machine cert on currently joining computers.
For more info about the inspection:
https://support.f5.com/csp/article/K15302653
If you want to block even domain computers if they try to connect but are not currently logged to the domain before starting the VPN without the use of SAML or NTLM Auth (I think maybe this is not case as it is too rare and you want only to check if they are doman computers).. You can just block the source IP that are not in the subnet that is provided by your DHCP/AD server. Maybe also you can block the users by inspecting if a local application like DLP or so on is not working and this aplication only works, when the computer is in the the domain but better ask the windows/worstation support team for such options. Maybe the windows team can add a script to the machines that checks the location Awareness log and make a change on a Registry key that F5 after that checks ?
- Edouard
Hi Nikoolayy, do you believe I can restrict VPN access to domain joined computers using F5 Edge inspection components so we can check if the computer is domain joined before permitting access ?
BIG-IP Edge Client operations guide | Chapter 6: Endpoint inspection (f5.com)
Thanks,
- Nikoolayy1
From what I think you should test NTLM or Kerberos authentication options https://support.f5.com/csp/article/K03010204 or https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html / https://support.f5.com/csp/article/K43063049 . As in this case only the domain computers will have access.
If you want you can also set edge client client to use the windows credentials but this will still allow company computers that are curently not in the domain to enter but I am just mentioning this https://support.f5.com/csp/article/K14964 as you can make also the computers to always start their VPN when booting so that the user will never be able to use the computers without VPN started as written in https://support.f5.com/csp/article/K24416258
Just a note, also after the customers log into the Edge Client and the VIP with network access they will still internally be redirected to a VIP if they try to access it and that VIP can have an access profile with Kerberos / NTLM .
