Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

VPN restrictions to domain computers




Please do you know if there is a way Edge client can restrict VPN access to only domain computers.





From what I think you should test NTLM or Kerberos authentication options or / . As in this case only the domain computers will have access.



If you want you can also set edge client client to use the windows credentials but this will still allow company computers that are curently not in the domain to enter but I am just mentioning this as you can make also the computers to always start their VPN when booting so that the user will never be able to use the computers without VPN started as written in




Just a note, also after the customers log into the Edge Client and the VIP with network access they will still internally be redirected to a VIP if they try to access it and that VIP can have an access profile with Kerberos / NTLM .


Overview of BIG-IP APM layered virtual servers (


Hi Nikoolayy, do you believe I can restrict VPN access to domain joined computers using F5 Edge inspection components so we can check if the computer is domain joined before permitting access ?


BIG-IP Edge Client operations guide | Chapter 6: Endpoint inspection (



If you want to check if the computer is a member you can check this post for the use of ad machine sert or Registry Check object . The windows team can auto load a reg key or a new machine cert on currently joining computers.



For more info about the inspection:



If you want to block even domain computers if they try to connect but are not currently logged to the domain before starting the VPN without the use of SAML or NTLM Auth (I think maybe this is not case as it is too rare and you want only to check if they are doman computers).. You can just block the source IP that are not in the subnet that is provided by your DHCP/AD server. Maybe also you can block the users by inspecting if a local application like DLP or so on is not working and this aplication only works, when the computer is in the the domain but better ask the windows/worstation support team for such options. Maybe the windows team can add a script to the machines that checks the location Awareness log and make a change on a Registry key that F5 after that checks ?