Forum Discussion

shashe's avatar
shashe
Icon for Cirrus rankCirrus
Dec 25, 2022

How do I allow VPN connections from Edgeclients only?

On my Big-IP 16.1.2 APM-VE, I enabled fatclient check policy that is checking for the follwoing client types:

Expression: Client type is Portal Client
OR  Client type is Standalone Client
OR  Client type is Standalone Client AND  Client App ID is F5 Access Client

The fallback option goes to deny page. I want to block all scanning attempts and only legitimate attempts that are originating from Edge clients. However, after implementing this policy, I am showing multiple legit users getting blocked erroneously. when looked at the session ID, I don't see any cleint type in the received info. But, I see MacEdgeClient/xxxx in the user-agent string. The same user when he reattempts to connect, big-IP is picking up the client type as standalone and allowing it. 
What should I do in this case to correctly match the user machines?

TIA.
 

5 Replies

    • shashe's avatar
      shashe
      Icon for Cirrus rankCirrus

      no both windows and mac. I added a condition to match "Edgeclient" or "MacEdgeClient" in the user-agent string to the policy. it seems working now.

      • buulam's avatar
        buulam
        Icon for Admin rankAdmin

        Is it consistent behavior? I believe the client does make an initial GET via mini browser first to obtain login details so your additional condition would be correct