Can I implement device posture check on APM for remote VPN users without having to deploy an additional software like F5 access guard? I am wondering if the edgeclient software can collect the endpoint info and pass it over to the APM for the initial auth req? I am not looking to check posture in realtime or per-req.
@shashe F5 APM supports two types of endpoint posture checks as a policy in the VPE(Visual Policy Editor), 'Client-Side' and 'Server-Side'. For the 'Client-Side' check, we need to install 'Endpoint Inspection' S/W to check the specific information from the client machine. So, in this method, APM can do detail checking such as file existence, AV status, Windows registry and etc. However, for the 'Server-Side' check, we use the header and other network telemetry data we can collect from the request. Thus, the information we can check in this method is quite limited, such as IP geolocation, IP reputation, client OS, browser type and etc.
Access Guard is for Per Reguest checks as the F5 Edge Client VPN agent is for session checks. As the F5 Edge client is like a browser it uses helper apps to check your device so I think that the client side checks will work even with clientless VPN/SSL VPN without Edge Client agent installed but I can't confirm like 100% but I think this is how it works:
Yup, so I remembered correctly 🙂 . For session checks there is no need for Access Guard app. In the future if you decide to go zero-trust then Access Guard will be needed for per-request checks like shown in https://community.f5.com/t5/technical-articles/zero-trust-access-with-f5-identity-aware-proxy-and-cr... .
If you decidem you can mark the question as answered.