Forum Discussion

NS_CGK's avatar
NS_CGK
Icon for Nimbostratus rankNimbostratus
Apr 21, 2020

Always Connected VPN with Windows Hello for Business

The current workplace configuration in our company uses the logon credentials provided by the end user at the logon screen to establish a limited user tunnel for management purposes.

 

New workplaces are being provisioned and use bio-metrics to log on instead, using Microsoft Hello for Business technology.

Because no user account is provided at the logon screen in this scenario, no credentials exist that can be reused by the Edge Client.

 

The obvious solution to this is to remove the requirement for credentials altogether, and establish the tunnel using the certificate only.

This feels as taking a step back from the security perspective.

 

The question I have is: is there another factor that can be used by the F5 Big-IP Edge Client, in addition to the valid user certificate, to establish the tunnel to the corporate network without requiring manual user intervention? (the last bit being very important)

 

3 Replies

  • We want to implement this as well. In more detail we want to be able to read the information from the TPM chip that Windows Hello For Business puts there to retrieve the credentials from the user. Is F5 APM or the BIG-IP Edge client already able to do that?

  • ​Hello, from what I can tell features to support use cases like this are currently in development, but I can not speak to Hello for Business specifically. That said though we do have and RFE to support this specific use case, ID 866041 "[RFE] [Edge] Support logon integration with Windows Hello."

  • We are also interested in using WHB with our Big-IP Client. Have you made progress around this? Looks like as of 8/21 there still was no solution at least according to this.

    https://support.f5.com/csp/article/K45075369