22-Apr-2021 05:21
I am setting up an always on machine tunnel solution using edge client.. but as the dns location isn´t working with the tunnel service I want to create an irule to use in the vpe that would check if the client is connected to corporate lan.. any one have an idea or have someone done something similar?
22-Apr-2021 07:39
You can use the "ACCESS_POLICY_AGENT_EVENT" so that one time during the policy check before the network resource is assigned you can check the client IP address and set a custom variable after that use an General purpose “empty” object and make a branch rule to check if for example "expr { [mcget {session.vpn.private}] == "1" }" and make so that if the customer is in the private IP range then to not assign a "Network_access" object.
https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html
22-Apr-2021 08:05
EDIT:
Ah for this you don't even need the "ACCESS_POLICY_AGENT_EVENT" event as the EVENT "ACCESS_SESSION_STARTED" will do the job and in that event you can set a session variable like for example "session.vpn.private" and then in the Access policy use as I mentioned an “empty” object with a branch rule or you could just block users in the event "ACCESS_SESSION_STARTED" that are in the corporate network to start the VPN client similarly to what is shown below:
https://clouddocs.f5.com/api/irules/ACCESS_SESSION_STARTED.html
28-Apr-2021 00:54
Wouldn´t the subnet match accomplish the same thing ?
28-Apr-2021 01:05
Yes I forgot that there is such an agent, so you can test with it. Just be carefull to not hit a bug that I saw it was mentioned:
https://support.f5.com/csp/article/K48423405
28-Apr-2021 01:08
it does work, but it´s kind of .. dumb(not finding other words at the moment hehe) for use in this case as i doesnt take anything else into consideration. the best would be to have a network location server (or something like it), if client can reach it no tunnel.. if it´s not there go ahead and connect.
28-Apr-2021 01:24
Have you added the DNS relay proxy service to see if you can use then the DNS autoconnect location awareness toggether with a split tunnel?
28-Apr-2021 01:26
The dns suffix check in edge client works in the full edge client, just not in the machine tunnel part.
28-Apr-2021 01:34
I was having similar issues for another vendor and maybe test to establish a network access session (VPN) before logging in to Windows as an alternative to the machine tunnel. Outside of that push the F5 TAC to resolve this issue.