Description
This article describes the case when there are multiple domain machines in the network and it is wanted to use the host-check feature to do the domain name check for an SSL VPN connection.
Machine A - domain abc.
Machine B - domain bcd.
Scope
FortiGate, FortiClient.
Note.
Host-check features are not supported for FortiClient versions between 6.2.0 and 7.0.2.
Starting from FortiClient 7.0.3, host check features are available.
Solution
When it is configured multiple hosts-check for registry in a single host-check-software entry it uses AND operation so in that scenario it is not possible to call two or multiple domains in a single web host-check-software, as it will try to match both of it if anyone of the registry entry is not available it will deny the connection.
Example:
# config vpn ssl web host-check-software
edit "Domain-Registry"
set type fw
# config check-item-list
edit 1
set type registry
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==abc"
next
edit 2
set type registry
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==bcd"
next
end
next
end
# config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
# config bookmark-group
edit "gui-bookmarks"
next
end
set host-check custom --------------------->
set host-check-policy "Domain-Registry" --------->
next
When it is configured as above, and the client tries to connect it will try to match both the registry as only one domain can exist at a time on a machine the connection will fail. In this scenario to overcome the issue wanted to configure multiple realms and call different host check policies in different web portals then the users can connect to the specific realm, and the host check will work as required.
Configure Realm:
First, it is necessary to enable the feature to go to System -> Feature Visibility -> Enable SSL-VPN Realms.
Go to VPN -> SSL VPN Realm -> Create new (provide the URL path which wanted to be configured), in this example, abc is added, so the URL path will be https://10.5.22.118:4443/abc (name it as it is required). Similarly, do the same for bcd.
CLI:
# config vpn ssl web realm
edit "abc"
next
edit "bcd"
next
end
Configure two different host-check-software for abc and bcd domains. It can only be done by CLI.
# config vpn ssl web host-check-software
edit "Domain-host-check-abc"
set type fw
# config check-item-list
edit 1
set type registry
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==abc"
next
end
next
edit "Domain-host-check-bcd"
set type fw
# config check-item-list
edit 1
set type registry
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters:Domain==bcd"
next
end
next
end
Configure the Web portal:
Go to VPN -> SSL VPN Portal -> Create new and add the configuration as required.
Use CLI and add the host check configuration:
# config vpn ssl web portal
edit "Domain abc"
set tunnel-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set host-check custom -------------------------->
set host-check-policy "Domain-host-check-abc" ----------------->
next
edit "Domain bcd"
set tunnel-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set host-check custom ----------------------->
set host-check-policy "Domain-host-check-bcd" --------------->
next
end
Add the Portal Mapping: go to VPN -> SSL VPN Setting -> Authentication/Portal Mapping (add the user as required and bind the realm and portal).
CLI:
# config vpn ssl settings
# config authentication-rule
edit 1
set users "test"
set portal "Domain abc"
set realm "abc"
next
edit 2
set users "test"
set portal "Domain bcd"
set realm "bcd"
next
end
end
Once the above steps are done on FortiClient configure the connection:
Domain abc ->
Domain bcd ->
The connection will work as expected.
Troubleshooting:
The host check will happen after the authentication, let's assume the host check failed it will display a message on the machine 'The machine does not meet the host checking requirement set by firewall...'.
It is possible to check the logs on FortiGate for troubleshooting, but it does not give much information.
Enable debugging on FortiGate, for more information:
# diag deb reset
# diag deb console timestamp enable
# diag deb application fnbamd -1
# diag deb application authd -1
# diag deb application sslvpn -1
# diag deb enable
Enable debug on FortiClient to verify the information sent by the machine. If it is VPN-only FortiClient follow the below steps.
- Unlock the FortiClient setting, by selecting the highlighted and circled icon.
- Change the logging level to debug.
- Do the test and export the logs, it will give info like below:
4/25/2023 1:25:52 PM error sslvpn date=2023-04-25 time=13:25:51 logver=1 id=96603 type=securityevent subtype=sslvpn eventtype=error level=error uid=FE9B156414B44B6AAE284291B1CAED04 devid=FCT8002418615386 hostname=Win10-Pro pcdomain=bcd deviceip=10.5.57.83 devicemac=00-67-72-61-05-02 site=N/A fctver=7.0.8.0427 fgtserial=FCT8002418615386 emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=fortinet msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel=Posture vpnuser=test remotegw=10.5.54.118
