Skip to main content
sbuerger
sbuerger
New Member
January 9, 2015
Solved

Using SSL tunnel VPN only from defined set of computers

  • January 9, 2015
  • 2 replies
  • 19721 views

We currently evaluating fortigate for using it as a client ssl vpn endpoint.

Most of our users have notebooks where they are local administrators because they have to install software most of the time.

All of this notebooks are domain joined.

When they use the ssl vpn they should be able to work like as they are connected in house into our intranet.

 

Only this notebooks should be able to use the ssl vpn endpoint.

 

Our first thought was to use computer certificates as a 2nd factor. It looks like this isn't possible because the client does not show the computer certificates.

We have user certifactes for client authentication and email signature. But they are exportable. Users could export them and use them on their private computers and successfully connect to the network.

 

For now the only solution we found is to register the forticlient installations which generates more costs because we need to license the forticlient without using (at least for now) any of the other features the license brings.

 

Are there any other solutions we could use?

 

If you use it, how are you using this ssl tunnel vpn solutions? Could your vpn users use any device to connect from? Do you limit the services they could use through the ssl vpn, or are they connected like they are in house in the internal network?

    Best answer by rdumitrescu

    Hi,

     

    I think that you could use the MAC check feature:

     

    conf vpn ssl web portal     edit portal        set mac-addr-check enable        set mac-addr-action allow        config mac-addr-check-rule            edit "rule1"                set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d                set mac-addr-mask 48            end        end

    2 replies

    rdumitrescu
    rdumitrescuAnswer
    New Member
    January 9, 2015

    Hi,

     

    I think that you could use the MAC check feature:

     

    conf vpn ssl web portal     edit portal        set mac-addr-check enable        set mac-addr-action allow        config mac-addr-check-rule            edit "rule1"                set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d                set mac-addr-mask 48            end        end

    sbuerger
    sbuergerAuthor
    New Member
    January 9, 2015

    rdumitrescu wrote:

    I think that you could use the MAC check feature:

     

    Thanks. We already thought about that feature, but as I understand it is CLI only and we have at least 200 devices we would need to add. We don't want to limit it to alle devices from one vendor, because then they could use own devices from that vendor too.

    And as we understand, it will be for the whole ssl web portal, so they couldn't use the web portal for some intranet websites from other devices (internet cafe, etc.).

    sbuerger
    sbuergerAuthor
    New Member
    January 22, 2015

    Hi,

     

    to give a feedback. We evaluated a bit more. We tried Forti Authenticator with certificates and a lot of other stuff too. Nothing was the solution we searched for

     

    We had an issue while trying to limit the connection to registered clients only. Somehow in the firewall rule, the option to use a device group was hidden when you had the SSL VPN selected as source. Looked like an UI bug. It does work when you use the correct steps. Until then users could use the SSL VPN from any client regardless of the registration, you had only the user group to limit the source in the rule.

     

    We decided to go with the registration, which gives us the following working solution:

     

    1. SSL Webportal for ldap users with token.

      They have to use their Active Directory Login and a Token.

    2. A second Webportal for ldap users without a token.

      This is for external contractors or customers with limited access to only some internal web servers.

    3. A SSL VPN for a set of ldap users with token and for a set of registered Forticlient. We can have groups of defined clients allowing access to targets in rules.

     

    It costs more because of the Client subscription licenses. We consider to use the other features in the client software (Antivirus, Vulnerability Scan, etc.) in the future.

    ebonick
    ebonick
    New Member
    September 10, 2015

    I too had this working, but now can't remember how I had it working when testing. Can you provide details as to how you did it? Fortinet says it's not supported and no matter what I do on 5.2.4 I can't get it working.

    sbuerger
    sbuergerAuthor
    New Member
    September 10, 2015

    ebonick wrote:

    I too had this working, but now can't remember how I had it working when testing. Can you provide details as to how you did it? Fortinet says it's not supported and no matter what I do on 5.2.4 I can't get it working.

    The Forticlient registers the device on the fortigate. Then the Client is added to a custom group.

    When you create a firewall rule you have to select a the ssl vpn as source and you select the user group and as "source device type" the device custom group.

     

    If the "source device type" is hidden as you select the ssl vpn as source you have to create one rule via CLI. After that new rules you create via web interface with the ssl vpn and a device group should be possible.

     

    BUT we still have a big problem with that. After about a week some IPs the users are assigned to are broken. The clients wouldn't be detected as registered and they are not allowed to send traffic through the rules that have a device group selected.

     

    We had this since we implemented it in 5.2.2, running 5.2.4 now. We have a open case with Fortinet about this issue.

    I hope they fix this issue soon. This is a big requirement for us to only allow systems we have registered.

    Terms & ConditionsAccessibility statement