Compatibility of BIG-IP Edge Client with Azure Virtual Desktop (AVD) Multi-Session Environments

Question

Hello F5 Community,I am currently working on a project that involves deploying Azure Virtual Desktop (AVD) for our engineering department. A critical requirement is for users to securely connect to external networks via VPN using the BIG-IP Edge Client for Windows.Our setup involves Windows multi-session virtual machines within the AVD environment, and I am particularly concerned about the following:- Multi-Session Support: Does the BIG-IP Edge Client support multiple independent VPN sessions running concurrently on a single AVD multi-session VM? Are there any known limitations or issues?- Configuration Best Practices: What are the recommended configurations to ensure that each user’s VPN session remains isolated and functions without interference in a multi-session environment? Any specific settings or policies that should be implemented?- Networking Considerations: Are there any special networking or routing configurations needed to ensure reliable VPN connectivity for users accessing different external networks via the BIG-IP Edge Client on AVD?- General Experiences and Recommendations: I would greatly appreciate any insights or experiences from those who have deployed a similar setup. Are there any challenges I should be aware of, and how were they mitigated?Your guidance or references to any relevant documentation would be invaluable.Thank you in advance for your support!Best regards,Luca

alexamak · Answer

The BIG-IP Edge Client does not natively support multiple independent VPN sessions on a single AVD multi-session VM, which can lead to conflicts and connectivity issues. To ensure proper functionality, you should configure each user's VPN session to be isolated, possibly using unique profiles or settings for each session. For networking, ensure proper routing and network policies are in place to manage traffic for different external networks. It’s also advisable to test thoroughly in a controlled environment to identify and address any potential issues before full deployment

lalberti · Answer

Hi Lucas,Thank you so much for your thorough explanation and for helping me see the full picture. It’s becoming clear that achieving this with our current setup might be more of a "mission impossible" than I originally anticipated—so thanks for making that crystal clear!What you mentioned about using a full Windows VM with an independent network stack really got me thinking. It could be a practical workaround for us. I’m considering setting up a dedicated Windows machine specifically for those occasional tasks that require the VPN. Since these activities aren't constant, I think this solution might work well without needing continuous concurrent access.I’ll definitely look into this further. Your advice has been incredibly helpful, and I appreciate you taking the time to share it!Thanks again, &nbsp;Luca

lucas_thompson · Answer

Edge Client (or Windows, really) was not designed for per-user L3-ish network isolation in this way. It's designed for individual Windows client PCs, not servers or RDS type sessions. It appears that AVD operates similarly to RDS, where users are all attached to the same network stack.
Microsoft seems to have a similar recommendation:
https://learn.microsoft.com/en-us/answers/questions/769421/vpn-clients-on-avd
&nbsp;
Can you explain in more detail what you're trying to do with the VPN client? We can maybe offer alternative solutions such as configuring the BIG-IP to be an explicit proxy server and using windows per-user L5-ish HTTP proxy settings.

lalberti · Answer

Hi Lucas,Thank you so much for your prompt and detailed response. I really appreciate the insights you’ve provided.To give you more context, our company specializes in software development. As part of a broader project to modernize our IT infrastructure, we are planning a gradual migration to a fully cloud-based architecture built on Azure. This includes migrating our developers' workstations to an Azure Virtual Desktop (AVD) configuration.Our developers frequently need to connect to our clients' private networks to deploy new software versions or provide support. Among our clients, some use BIG-IP to manage their network security. As a result, we need to use the BIG-IP Edge Client to connect to their networks. These are environments over which we have no control, so our only option is to use this solution to access their networks.We are currently in a phase of the project where we are verifying all compatibility aspects, and my question in this forum was aimed at performing a preliminary feasibility check for this specific scenario.Your advice to conduct thorough testing in a lab environment is invaluable, and we plan to follow that recommendation. If there’s any additional guidance or considerations we should keep in mind, especially given this context, we would be grateful.Thank you again for your assistance!Best regards, &nbsp;Luca---Questa risposta fornisce le informazioni richieste e mantiene un tono professionale e cortese.

lucas_thompson · Answer

Super. This makes sense.
I think we have a pretty good argument in that Microsoft post that they don't recommend VPN clients in that environment. There seem to be the same kind of recommendations about Cisco Anyconnect, which uses similar architecture.
Another speculative consideration is that with both Edge Client and Cisco Anyconnect, we/they offer integration with a client-side security library called OPSWAT. This requires admin-level privileges on the workstation, and probably won't run correctly with user-permissions on a multi-session host like AVD or RDS.
Overall this sounds like a tough situation to work out. On the one hand the security provided by AVD is highly useful, but on the other it doesn't offer quite as much capability as a full Windows VM with an independent network stack.

Forum Discussion

Compatibility of BIG-IP Edge Client with Azure Virtual Desktop (AVD) Multi-Session Environments

Recent Discussions

Check how long it takes for a request to switch from a pool member to another if one is not available

anti-bot ip exclude

F5 VIP listens on udp port 514 and forwards to all servers in pool

How to accept Application requests at WAF F5

Yubikey APM and AzureAD question

Related Content

VIPTest: Rapid Application Testing for F5 Environments

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Packet Analysis with Scapy and tcpdump: Checking Compatibility with F5 SSL Orchestrator

Multi-Stores Citrix environment BIG-IP APM

iRules Development Environment