FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff
Description
This article describes how to check if a host connecting to a SSL VPN tunnel is part of a specific AD domain.

Scope
FortiGate SSL VPN host checking.

Solution
A useful feature available on a SSL VPN connection is the ability to check the AD permissions of a client.

Some of the well known parameters to check are:

- OS version
- Antivirus installation
- Version of FortiClient installed

The security profile of the client is checked against the SSLVPN policy along with the AD permissions:

The following configuration can be used to check if a computer connecting over a SSL VPN tunnel is part of a given domain on a Windows AD infrastructure:
#config vpn ssl web host-check-software
    edit 'test-register'
        set type fw
        set version ''
        set guid '00000000-0000-0000-0000-000000000000'

#config check-item-list
    edit 1
        set action require
        set type registry
        set target 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==<localdomain>'
        set version ''
    next
               <-----other items can be added to the check list here.
    end

#config vpn ssl web portal
    edit "domain-portal"
        set tunnel-mode enable
        set host-check custom
        set limit-user-logins enable
        set auto-connect enable
        set ip-pools 'sslvpn-pool'
        set split-tunneling disable
        set host-check-policy 'test-register'
    next

#config vpn ssl settings
    set reqclientcert enable
    set servercert 'server_cert'
    set idle-timeout 1800
    set tunnel-ip-pools 'SSLVPN_TUNNEL_ADDR1'
    set tunnel-ipv6-pools 'SSLVPN_TUNNEL_IPv6_ADDR1'
    set dns-server1 10.0.0.20
    set dns-server2 10.0.0.22
    set source-interface 'wan1'
    set source-address 'all'
    set source-address6 'all'
    set default-portal 'web-access'
    config authentication-rule
        edit 2
            set groups 'Usergroup1'
            set portal 'test'
            set realm 'test'
        next
        edit 3
            set groups 'domain-Users"
            set portal 'domain-portal'
            set realm 'domain'
        next
    end

Contributors