Forum Discussion
EDIT:
Ah for this you don't even need the "ACCESS_POLICY_AGENT_EVENT" event as the EVENT "ACCESS_SESSION_STARTED" will do the job and in that event you can set a session variable like for example "session.vpn.private" and then in the Access policy use as I mentioned an “empty” object with a branch rule or you could just block users in the event "ACCESS_SESSION_STARTED" that are in the corporate network to start the VPN client similarly to what is shown below:
https://clouddocs.f5.com/api/irules/ACCESS_SESSION_STARTED.html
Wouldn´t the subnet match accomplish the same thing ?
- Nikoolayy1Apr 28, 2021MVP
Yes I forgot that there is such an agent, so you can test with it. Just be carefull to not hit a bug that I saw it was mentioned:
https://support.f5.com/csp/article/K48423405
- kimhenriksenApr 28, 2021Cirrostratus
it does work, but it´s kind of .. dumb(not finding other words at the moment hehe) for use in this case as i doesnt take anything else into consideration. the best would be to have a network location server (or something like it), if client can reach it no tunnel.. if it´s not there go ahead and connect.
- Nikoolayy1Apr 28, 2021MVP
Have you added the DNS relay proxy service to see if you can use then the DNS autoconnect location awareness toggether with a split tunnel?
- kimhenriksenApr 28, 2021Cirrostratus
The dns suffix check in edge client works in the full edge client, just not in the machine tunnel part.
- Nikoolayy1Apr 28, 2021MVP
I was having similar issues for another vendor and maybe test to establish a network access session (VPN) before logging in to Windows as an alternative to the machine tunnel. Outside of that push the F5 TAC to resolve this issue.