Skip to main content
kamarale
kamarale
New Member
January 14, 2022
Question

FortiGate SSL VPN for corporate devices only

  • January 14, 2022
  • 2 replies
  • 5344 views

Hello!

We have a FortiGate in 6.4.X and we re already using SSL VPN with 2FA with Fortitoken, and we must keep this 2FA auth.
We use Foticlient 6.4 with free license.
Now we want to enforce that only notebooks from the company can connect to the VPN.

We tried to do it with the MAC address host chech,but only works for Forticlient before 6.2 (on free versions).
https://community.fortinet.com/t5/FortiClient/Technical-Tip-Limitation-on-SSLVPN-MAC-address-host-check/ta-p/190260?externalID=FD49387

How you guys think we could implement this?
If you have any link that guides me great.


Thank you in advance!
Kind regards.

2 replies

ctanev1
Staff & Editor
ctanev1
Staff & Editor
January 14, 2022

Hi,

With a free client, it is not possible.

It is possible with EMS and Zero Trust Tags with Fortiagte.

https://docs.fortinet.com/document/forticlient/7.0.2/ems-administration-guide/924998/zero-trust-tags

With the latest version, you can use Tags in VPN before a VPN connection.

https://docs.fortinet.com/document/forticlient/7.0.2/ems-administration-guide/29925/ssl-vpn

Let us know do you have more questions?

Thanks

 

 

 

 

 

kamarale
kamaraleAuthor
New Member
January 14, 2022

Hello,

thanks for the reply.

The FGT should be in version 7.0 too?

 

Another question, I was thinking about using certificates on end PCs.

Would this work in conjuntion with the 2FA already implemented (usr/pass + token) ?

 

Thanks!

 

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
January 20, 2022

Hey kamarale,

yes, you can require certificates in addition to already implemented 2FA. A guide on combining certificate authentication with user/password: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Combining-remote-user-authentication-and-client/ta-p/192577

-> second factor would simply be requested as part of RADIUS authentication or local user authentication

 

Regarding the domain computer requirement - I don't know if this would still work with newer (free) FortiClient versions, but it might be worth a try: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Checking-AD-domain-of-host-connecting-to-a-SSL-VPN/ta-p/195606

Regarding FortiGate - it will need to be in a version compatible with FortiClient and EMS 7.0.2, and to my knowledge on FortiOS 7.0 supports the full ZTNA implementation available in (licensed) FortiClient 7.0.

Hope that helps!

kamarale
kamaraleAuthor
New Member
January 19, 2022

Hello,

does anyone know this questions?

 

Thanks in advance.

Regards.

Terms & ConditionsAccessibility statement