SSL VPN with computer certificate

Forum|Forum|8 years ago
August 7, 2017
2 replies
12488 views

Hi there,

I want to level up the security of our SSL-VPN (tunnel mode).

We have to make sure that vpn connections only possible from devices of our managed infrastructure.

Is it possible to use computer certificates as additional authentication requierement? I have already read about user certificates, but only for local users. We use LDAP group search for authentication and it seems not possible to bind certifcates to this usergroup.

In this case it would be nice if I could enroll computer certificates over active directory and foritgate check these certs during the authentication.

Is this possible. If not, are there any other possibilities to increase vpn security?

ed_b

New Member

I'm also trying to implement something like this so we can lock down the Forticlient to authorized domain computers. All docs seem to mention user certs.

Anyone know if computer certificates can be used?

emnoc

New Member

I never heard of a enforcement of a "computer certificate". I would look at host/client side checks. Here you could allow window versions that you company uses

examples

maybe you have only win10 and want to disallow all earlier WinOSes

maybe you have a seed list of ether_address AA:AA:AA:AA:AA:AA

that alone with a user certificate , should be more than enough

ed_b

New Member

Unfortunately client checking is only supported on Windows and we are heavily mac on the client side, otherwise I'd use that. Host check with Mac address might be the only option. Any other ideas?