DescriptionThis article describes how to check if a host connecting to a SSL VPN tunnel is part of a specific AD domain.
ScopeFortiGate SSL VPN host checking.
SolutionA
useful feature available on a SSL VPN connection is the ability to
check the AD permissions of a client.
Some of the well known parameters to check are:
- OS version
- Antivirus installation
- Version of FortiClient installed
The security profile of the client is checked against the SSLVPN policy along with the AD permissions:
The following
configuration can be used to check if a computer connecting
over a SSL VPN tunnel is part of a given domain on a Windows AD
infrastructure:#config vpn ssl web host-check-software
edit 'test-register'
set type fw
set version ''
set guid '00000000-0000-0000-0000-000000000000'
#config check-item-list
edit 1
set action require
set type registry
set target 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==<localdomain>'
set version ''
next
<-----other items can be added
to the check list here.
end
#config vpn ssl web portal
edit "domain-portal"
set tunnel-mode enable
set host-check custom
set limit-user-logins enable
set auto-connect enable
set ip-pools 'sslvpn-pool'
set split-tunneling disable
set host-check-policy 'test-register'
next
#config vpn ssl settings
set reqclientcert enable
set servercert 'server_cert'
set idle-timeout 1800
set tunnel-ip-pools 'SSLVPN_TUNNEL_ADDR1'
set tunnel-ipv6-pools 'SSLVPN_TUNNEL_IPv6_ADDR1'
set dns-server1 10.0.0.20
set dns-server2 10.0.0.22
set source-interface 'wan1'
set source-address 'all'
set source-address6 'all'
set default-portal 'web-access'
config authentication-rule
edit 2
set groups 'Usergroup1'
set portal 'test'
set realm 'test'
next
edit 3
set groups 'domain-Users"
set portal 'domain-portal'
set realm 'domain'
next
end
