Forum Discussion
NimbostratusSSL VPN and Machine Cert Inspection
Hi everyone,
I'm working on implementing an SSL VPN with machine certificate inspection for secure access to VPN resources. However, I'm hoping to achieve this without using an agent, which is why I’m reaching out to the community for insights.
I understand that agentless setups might be limited, but I wanted to confirm if there’s a way to achieve this without endpoint agents. If anyone has experience or guidance on possible approaches, it would be greatly appreciated.
Thanks in advance for your help!
7 Replies
- Injeyan_Kostas
Nacreous
You would need at least the plugin to be able to use machine certificate
an equivalent way if you use intunes would be to consume intunes compliance inside your policy 
VishnuGatlaCumulonimbus
Hello!
Implementing an F5 SSL VPN with machine certificate inspection without using an agent can be challenging but is possible with the right configuration. One approach is to utilize the F5 BIG-IP Access Policy Manager (APM) which supports clientless VPN access and can perform machine certificate inspection. This can be achieved through the use of the BIG-IP APM web portal, where the certificate inspection is managed by the VPN gateway rather than an endpoint agent.
To implement this, you would need to configure the BIG-IP APM to require certificate-based authentication for access to the VPN. During the SSL handshake process, the APM can check for valid machine certificates. This setup will involve careful configuration of your certificate authority (CA) and certificate distribution to ensure that only devices with valid machine certificates can establish a connection.
Additionally, integrating a robust Public Key Infrastructure (PKI) is essential. This will help manage and distribute machine certificates effectively, even in an agentless environment. Ensure that your network policies are enforced to verify machine certificates before granting access, which can be done through the BIG-IP APM’s access policies.
While these approaches can help achieve your goal without endpoint agents, you should be aware of potential limitations in terms of granularity of control and visibility compared to agent-based solutions. Make sure to thoroughly evaluate the security and user experience implications of your chosen method.
MradHello all,
Anyone has the configuration of VPN SSL with machine certificate authentication with the big IP Edge client?- Injeyan_Kostas
What Config do you need?
You just need to enable Machine Certificate Checker Service in connectivity profile and add Machine Cert Auth in Visual policy
Keep in mind that if user does not have admin priviledges will not be able to use private key and branch Found will be followed in Machine Cert Auth.- Mrad
thank you for your reply. i have little experience with the F5 APM, what i did is created a VS, Access profile, Network access with lease pool, connectivity profile.
my VPE is logon page -> AD -> ressource assign (webtop, network ressource) -> allow
i am able to connect on VPN from the bigIP edge client (and from the portal). Now i need to add the machine certificate authentication on the edge client. what else should i configure in the VPE policy in order to add the machine cert authentication? and where should i upload the certificate on the F5 in order to check the validity of the machine certificate?
