CirrusCan I implement device posture check on APM for remote VPN users without having to deploy an additional software like F5 access guard? I am wondering if the edgeclient software can collect the endpoint info and pass it over to the APM for the initial auth req? I am not looking to check posture in realtime or per-req.
Thank you.
Hi shashe - some solid questions. I got rid of the spammer who replied to your post. I think James_Jinwon_Lee could answer your questions if nobody else chimes in.
Employeeshashe APM also can collect limited device information from HTTP headers without additional S/W installation. However, if you need to collect detailed device information from the client, SW installation is required.
CirrusJames_Jinwon_Lee Thanks for your response. can you please detail the information it collects? What device posture checks can I enforce without the need for additional s/w clients. We have a combination of MAC,windows, android and iphones.
Thanks.
MVPAccess Guard is for Per Reguest checks as the F5 Edge Client VPN agent is for session checks. As the F5 Edge client is like a browser it uses helper apps to check your device so I think that the client side checks will work even with clientless VPN/SSL VPN without Edge Client agent installed but I can't confirm like 100% but I think this is how it works:
https://community.f5.com/t5/technical-articles/creating-a-ssl-vpn-using-f5-full-webtop/ta-p/286314
https://support.f5.com/csp/article/K08285295
NimbostratusI'm not knowledgeable about it. However, I will let you know if I learn anything.
MVPIf you managed to get the needed answers, please flag the question as answered.
CirrusI tested this with Fatclient but without Access Guard app. It works well with just fat client. In short: the fat client is enough to make these endpoint checks.
MVPYup, so I remembered correctly 🙂 . For session checks there is no need for Access Guard app. In the future if you decide to go zero-trust then Access Guard will be needed for per-request checks like shown in https://community.f5.com/t5/technical-articles/zero-trust-access-with-f5-identity-aware-proxy-and-crowdstrike/ta-p/292615 .
If you decidem you can mark the question as answered.
