We currently use F5 to establish secure connections to our remote desktop sessions for remote users. These users are using their personal machines so we dont provide any additional NextGen AV protection
Token stealing / Token Theft / Cookie session stealing to bypass MFA is a concern. An attacker can reply a token and byass MFA. How does F5's protect users from Token theft?
Which functions / modules are you using?
APM and AWAF could possibly be used to look for more than cookies.
So cookies and say orginating IP. So if the IP changes it might have been hijacked.
But if someone is on a mobile connection which could have its IP changed mid-session this may course other issues.
If you're using APM - you could look at client cert verification, or the agent to try to be more comfortable that your connection isn't hijackable.
Does the F5 Big IP have the ability to enable Session Quotas?
Limit the number of active sessions a user can have simultaneously. If token theft occurred the previous session would time out, causing the user to alert