In a previous article we discussed how to configure the BIG-IP as an SSL VPN solution which can be found here https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146. I wanted to take this and go a bit further by adding additional security to this solution by requiring certain end point settings, services or even updates be deployed prior to allowing access to internal resources. So, let's get started.
Now that you have saved your organization a ton of money by using the existing F5 BIG-IP in your data center as a VPN solution rather than investing in a yet another security appliance, leadership thinking you're a hero, your local IA shop steps in and says, "we still need a security device to apply network access controls prior to allowing access. Go out and find a NAC solution and by the way, there's no money!"
At this point let's be honest, you only know what you know so you decide to go to your handy dandy search engine to identify a NAC solution. Others who have deployed F5 as a VPN solution have to have used a third-party solution, right? So we start with my personal favorite search method "NAC site:f5.com."
OK, cool there's an article from F5.com discussing my exact use case. No way, F5 provides endpoint security? Let's check it out. From the VPE you built to enable remote access solution, you follow your workflow and select add item after the user has successfully authenticated using directory services. You then identify the Endpoint Security (Client-Side) tab and boom, this is exactly what you need!
In further discussions with the IA team, they require at a minimum Windows firewall be enabled and the organizations approved antivirus program installed and up to date. While we can see from the endpoint security tab you can configure antivirus and firewall checks, can it really be so granular that it will allow me to identify Windows firewall and McAfee AV? Only one way to find out, so let's get to it.
Client-Side Antivirus Checks
We will start with AV to validate the workstation or mobile device is running McAfee VirusScan Professional Version 9, it is enabled and has the latest dat file identified as 8624.
Once you have selected Add Item > Antivirus > Add Item, you will be presented with a second pop up which will allow you to define the Antivirus requirements for a workstation to connect.
Within the platform field we will select Win for this use case.
Next, we will define the Vendor ID which we will select McAfee, Inc. from the drop down.
As you can see the vendor list contains many more antivirus vendors than your typical major products so no need to worry if you are using something like Avast or AVG, we have you covered!
Select the product id from the drop down as I have done in the screenshot below.
For state select enabled from the drop down.
The last portion, if you so choose to define will be the DB version which requires manual entry.
Note: If you notice in the screenshot above, administrators also have the option of continuously checking for compliance of this requirement.
Select Save and the antivirus item will be added to your VPE.
Client-Side Firewall Checks
Next, we will add our Firewall checks which will include validating Windows Firewall is enabled. With that, in the event the client-side check fails we will redirect the user to the Microsoft support page on how to enable this service rather than an immediate deny.
We'll begin the same as with the AV portion by selecting Add Item between Antivirus and Advanced Resource Assign.
Once the pop-up displays, select Endpoint Security (Client-Side) and Add Item which will display a second pop-up allowing you to define firewall requirements.
From the Platform drop down select Win.
Select the Vendor ID drop down and select Microsoft Corp.
Select Microsoft Windows Firewall 10.x, 7, 8, 8.1, Vista, XP SP2+.
For state you will select Enabled and click Save at the bottom of the page.
Modifying Our Access Policy to Utilize Client-Side Checks
Now that we have defined client requirements for AV and Firewall, we will modify the ending for our firewall option so that we can redirect as stated previously in this article.
Navigating back to your VPE, select Edit Endings at the top left of the screen.
Click Add Ending.
For visual assistance and troubleshooting we will rename the ending to Firewall Redirect to Microsoft.
Select Redirect Radio Field
Insert the URL you want to redirect the user to. In this case we will use https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off for the Windows support page.
Select the color pen option and we will define a different color than the existing allow and deny endings.
Next we will modify the existing deny ending to the redirect ending created in the previous step.
Navigating back to the VPE, select Deny following the Firewall workflow and modify it to Firewall Redirect to Microsoft.
Once you have completed all of the previous steps your VPE should look like the one below.
Apply the access policy by selecting Apply Access Policy from the top left and it's time for testing!
Validating New Client Side Checks
From the workstation you will be using to test this functionality, begin by launching the Webtop URL from a internet browser and login.
During the logon process, you will now see the checks put in place during the previous steps.
Because I currently have my Windows FW disabled I will be directed to the Microsoft support page on how to enable my Windows firewall service.
Once enabled, I attempt to log into my remote access Webtop and whala I’m in!
Just like that you are a hero again!
I hope this was helpful to those looking at remote access solutions and may have F5 in their data center or DMZ already. This article is limited to only firewall and antivirus checks but there is so much more. See a complete list of client-side and server-side checks below. Until next time!