cancel
Showing results for 
Search instead for 
Did you mean: 

Network Access - Block Virtual machine for VPN connection.

Kash
Altostratus
Altostratus

Hi Experts, Would like need your advice how to prevent f5 vpn accessing from virtual machine.Becz we enforced full tunnel,but its still able access internet websites using physical machine...still consider as split tunnel overall .

 

 

Is there any way to prevent to use VM machine for VPN.

 

 

Thank you!

Kash

7 REPLIES 7

boneyard
MVP
MVP

what exactly are you trying to solve here?

 

while the virtual machine has no split tunnel then there won't be any communication with it locally. all traffic from the virtual machine will go in the tunnel.

Kash
Altostratus
Altostratus

Thanks Boneyard!

Here we need to deny VM based machines.So that non vm based machines will go in the tunnel and won't be any communication to internet .

why this focus on a difference between virtual and none virtual machines?

 

you say something about with a virtual machine it is split tunnel, but why would that be the case?

 

the big-ip edge client doesn't behave differently on a virtual or non virtual machine.

For clear understanding ,

Objective is to allow vpn users to access intranet sites only .Full tunnel enabled at APM policy.

 

scenario : I installed Virtualbox with win 10 OS in my laptop. Connect VPN @ vm machine .(Full tunnel enabled) .Able to access intranet sites only using VM browser .( expected result)

But using my physical laptop browser (vm is running and connected to VPN) i can able to access internet websites.Becz its not connected to VPN( expected result).

 

On above scenario its like a split tunnelling ( vm no access to internet websites , Laptop have access to internet websites ).

so need to block all vm based machines on posture check or is there any other possible ways ?

 

Note : VPN access via browser not f5 edge client and No cert .

 

Thank you!

 

 

Ok, but the usual reason against split tunnel is because it is unsafe. locally traffic might get onto the internet and then also access the network behind the VPN. that is not the case with your situation. you wont be able to access the network behind the VPN from your laptop, you have to switch to your VM to do that. so that security issue is way less here.

 

Or is in your case you dont want people to access the internet for other reasons then security?

 

Will it be possible to install software on the client forcing a registry check or such?

yes .I dont want people to access the internet .

Is there anyway to detect VM based machines on posture check and block it.

Majority all are personal laptops,what type of software to install and check ?

 

Many tHanks!!

Jorge_Manya
Altocumulus
Altocumulus

Hello Kash,

 

You can use the Machine Info agent to gather information of the laptop that is trying to access the VPN. By using Machine Info agent you can get information that is present only in the physic machine like the HDD and then allow access to the VPN. If you are able to have a list of the physical NIC MAC addresses of the personal laptops, you can filter the access by allowing only those that are in the list.