Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Device posture check without F5 Access guard


Can I implement device posture check on APM for remote VPN users without having to deploy an additional software like F5 access guard? I am wondering if the edgeclient software can collect the endpoint info and pass it over to the APM for the initial auth req? I am not looking to check posture in realtime or per-req. 


Thank you.


Community Manager
Community Manager

Hi @shashe - some solid questions. I got rid of the spammer who replied to your post. I think @James_Jinwon_Lee could answer your questions if nobody else chimes in. 

@shashe APM also can collect limited device information from HTTP headers without additional S/W installation.  However, if you need to collect detailed device information from the client, SW installation is required. 

@James_Jinwon_Lee Thanks for your response. can you please detail the information it collects? What device posture checks can I enforce without the need for additional s/w clients. We have a combination of MAC,windows, android and iphones. 



@shashe F5 APM supports two types of endpoint posture checks as a policy in the VPE(Visual Policy Editor), 'Client-Side' and 'Server-Side'. For the 'Client-Side' check, we need to install 'Endpoint Inspection' S/W to check the specific information from the client machine. So, in this method, APM can do detail checking such as file existence, AV status, Windows registry and etc. However, for the 'Server-Side' check, we use the header and other network telemetry data we can collect from the request. Thus, the information we can check in this method is quite limited, such as IP geolocation, IP reputation, client OS, browser type and etc. 

@James_Jinwon_Lee  Do I need to pay any license for that inspection software? Also, where can I download it?



Access Guard is for Per Reguest checks as the F5 Edge Client VPN agent is for session checks. As the F5 Edge client is like a browser it uses helper apps to check your device so I think that the client side checks will work even with clientless VPN/SSL VPN without Edge Client agent installed but I can't confirm like 100% but I think this is how it works:



I'm not knowledgeable about it. However, I will let you know if I learn anything.

If you managed to get the needed answers, please flag the question as answered.

I tested this with Fatclient but without Access Guard app. It works well with just fat client. In short: the fat client is enough to make these endpoint checks.

Yup, so I remembered correctly 🙂 . For session checks there is no need for Access Guard app. In the future if you decide to go zero-trust then Access Guard will be needed for per-request checks like shown in .


If you decidem you can mark the question as answered.