Description
This article describes how to check if a host connecting to an SSL VPN tunnel is part of a specific AD domain.
Scope
FortiGate SSL VPN host checking.
Solution
A useful feature available on an SSL VPN connection is the ability to check the AD permissions of a user.
Some of the well-known parameters to check are:
- OS version.
- Antivirus installation.
- The version of FortiClient installed.
The security profile of the client is checked against the SSLVPN policy along with the AD permissions:
The following configuration can be used to check if a computer connecting over an SSL VPN tunnel is part of a given domain on a Windows AD infrastructure:
config vpn ssl web host-check-software
edit 'test-register'
set type fw
set version ''
set guid '00000000-0000-0000-0000-000000000000'
config check-item-list
edit 1
set action require
set type registry
set target 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==<localdomain>'
set version ''
next
<----- Other items can be added to the checklist here.
end
config vpn ssl web portal
edit "domain-portal"
set tunnel-mode enable
set host-check custom
set limit-user-logins enable
set auto-connect enable
set ip-pools 'sslvpn-pool'
set split-tunneling disable
set host-check-policy 'test-register'
next
config vpn ssl settings
set reqclientcert enable
set servercert 'server_cert'
set idle-timeout 1800
set tunnel-ip-pools 'SSLVPN_TUNNEL_ADDR1'
set tunnel-ipv6-pools 'SSLVPN_TUNNEL_IPv6_ADDR1'
set dns-server1 10.0.0.20
set dns-server2 10.0.0.22
set source-interface 'wan1'
set source-address 'all'
set source-address6 'all'
set default-portal 'web-access'
config authentication-rule
edit 2
set groups 'Usergroup1'
set portal 'test'
set realm 'test'
next
edit 3
set groups 'domain-Users"
set portal 'domain-portal'
set realm 'domain'
next
end
Note: After FortiClient6.2 this feature is only available for FortiClient EMS. It becomes again available as a new feature in FortiClient Free VPN 7.0.3:
FortiGate-powered host check for free VPN client
