Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kamarale
New Contributor

FortiGate SSL VPN for corporate devices only

Hello!

We have a FortiGate in 6.4.X and we re already using SSL VPN with 2FA with Fortitoken, and we must keep this 2FA auth.
We use Foticlient 6.4 with free license.
Now we want to enforce that only notebooks from the company can connect to the VPN.

We tried to do it with the MAC address host chech,but only works for Forticlient before 6.2 (on free versions).
https://community.fortinet.com/t5/FortiClient/Technical-Tip-Limitation-on-SSLVPN-MAC-address-host-ch...

How you guys think we could implement this?
If you have any link that guides me great.


Thank you in advance!
Kind regards.

4 REPLIES 4
ctanev1
Staff
Staff

Hi,

With a free client, it is not possible.

It is possible with EMS and Zero Trust Tags with Fortiagte.

https://docs.fortinet.com/document/forticlient/7.0.2/ems-administration-guide/924998/zero-trust-tags

With the latest version, you can use Tags in VPN before a VPN connection.

https://docs.fortinet.com/document/forticlient/7.0.2/ems-administration-guide/29925/ssl-vpn

Let us know do you have more questions?

Thanks

 

 

 

 

 

kamarale

Hello,

thanks for the reply.

The FGT should be in version 7.0 too?

 

Another question, I was thinking about using certificates on end PCs.

Would this work in conjuntion with the 2FA already implemented (usr/pass + token) ?

 

Thanks!

 

Debbie_FTNT

Hey kamarale,

yes, you can require certificates in addition to already implemented 2FA. A guide on combining certificate authentication with user/password: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Combining-remote-user-authentication-and-c...

-> second factor would simply be requested as part of RADIUS authentication or local user authentication

 

Regarding the domain computer requirement - I don't know if this would still work with newer (free) FortiClient versions, but it might be worth a try: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Checking-AD-domain-of-host-connecting-to-a...

Regarding FortiGate - it will need to be in a version compatible with FortiClient and EMS 7.0.2, and to my knowledge on FortiOS 7.0 supports the full ZTNA implementation available in (licensed) FortiClient 7.0.

Hope that helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
kamarale
New Contributor

Hello,

does anyone know this questions?

 

Thanks in advance.

Regards.