Skip to main content
jp20
jp20
New Member
October 17, 2022
Question

Vendor access Best Practices

  • October 17, 2022
  • 1 reply
  • 1289 views

Hi, 


We've got an HVAC vendor with remote access to our HVAC controls.  I have a policy set to allow access to our HVAC from their home office IP to one our external IPs and a Fortigate VIP to an internal address.  The only services allowed on this policy are a list of TCP ports they need to access the HVAC. 

 

Here's the issue:  They changed their support to field technicians who want to access our site via hotspots while the are out in the field, not their home office.

 

What are some best practices for adjusting the sources on the policy to accommodate for these hotspots without opening up this public IP to all the world?  Since they are using their cell phones, I don't think I can whitelist a set of addresses, because they'll keep changing.   What's the best practices here?  Thank you.

1 reply

esec
esec
Visitor III
October 17, 2022

Ssince their public adresses changes I would say that the best practice would be for the vendor to use their own VPN so they can guarantee what IP they would be accessing it from.

 

But if that´s not possible I would say that a Fortigate SSLVPN is the best solution, so you add an additional layer of authentication and don´t expose the HVAC to the public internet. Might even be possible that you can use the clientless SSLVPN to control the system.

Terms & ConditionsAccessibility statement