Technical Tip: Checking AD domain of host connecting to a SSL VPN tunnel

Description

Scope

Solution

• OS version.
• Antivirus installation.
• The version of FortiClient installed.

The security profile of the client is checked against the SSLVPN policy along with the AD permissions:

The following configuration can be used to check if a computer connecting over an SSL VPN tunnel is part of a given domain on a Windows AD infrastructure:

config vpn ssl web host-check-software

        set action require
        set type registry
        set target 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==<localdomain>'
        set version ''
    next
               <----- Other items can be added to the checklist here.
    end

config vpn ssl web portal
    edit "domain-portal"
        set tunnel-mode enable
        set host-check custom
        set limit-user-logins enable
        set auto-connect enable
        set ip-pools 'sslvpn-pool'
        set split-tunneling disable
        set host-check-policy 'test-register'
    next

config vpn ssl settings
    set reqclientcert enable
    set servercert 'server_cert'
    set idle-timeout 1800
    set tunnel-ip-pools 'SSLVPN_TUNNEL_ADDR1'
    set tunnel-ipv6-pools 'SSLVPN_TUNNEL_IPv6_ADDR1'
    set dns-server1 10.0.0.20
    set dns-server2 10.0.0.22
    set source-interface 'wan1'
    set source-address 'all'
    set source-address6 'all'
    set default-portal 'web-access'
        config authentication-rule
            edit 2
                set groups 'Usergroup1'
                set portal 'test'
                set realm 'test'
            next
            edit 3
                set groups 'domain-Users"
                set portal 'domain-portal'
                set realm 'domain'
            next
end

Note: After FortiClient6.2 this feature is only available for FortiClient EMS. It becomes again available as a new feature in FortiClient Free VPN 7.0.3:

FortiGate-powered host check for free VPN client