V-266174

Discussion

Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will simply be disconnected from the internet until the issue is solved. "Always On" is a term that describes a VPN connection that is secure and always on after the initial connection is established. An Always On VPN deployment establishes a VPN connection with the client without the need for user interaction (e.g., user credentials). The remote client must not be able to access the Internet without first established a VPN session with a DOD site. Note that device compliance checks are still required prior to connecting to DOD resources. Although out of scope for this requirement, the connection process must ensure that remote devices meet security standards before accessing DOD resources. Devices that fail to meet compliance requirements can be denied access, reducing the risk of compromised endpoints.

Check Content

Verify at least one of these methods is configured.

Always Connected Mode:
From the BIG-IP GUI:
1. Access.
2. Connectivity/VPN.
3. Connectivity.
4. Profiles.
5. Click the name of the profile.
6. At the bottom, click Customize Package >> Windows.
7. Click "BIG-IP Edge Client" on the left.
8. Verify "Enable Always connected mode" is enabled.

Machine Tunnels:
From the BIG-IP GUI:
1. Access.
2. Connectivity/VPN.
3. Connectivity.
4. Profiles.
5. Click the name of the profile.
6. At the bottom, click Customize Package >> Windows.
7. Verify "Machine Tunnel Service" is checked.

If the BIG-IP VPN Gateway is not configured to use an Always On VPN connection for remote computing, this is a finding.