I wanted to setup a scenario where a user has to always sign in and authenticate to a webtop (which we have 2 factor setup), click on the vpn resource on the webtop, and launch the F5 bip-ip client for the connection.
I don't want the user to be able to just fire up the VPN client and get access without logging in to the web portal/webtop setup. (no bypassing the 2fa piece)
Is this possible to always enforce?
You could create a login page for the edge client and enable 2fa on that login page. You can use the client type agent in the VPE to make a branch for the edge client. (or combine both browser and edge client login into the same branch and login page.