Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kkoshan
New Contributor

SSL VPN portal profile based Host check

Hi,

 

 I am working on an SSL VPN configuration to perform host check of the PC user1 is connecting. If the PC is joined to domain1, then give him portal profile A, otherwise give him portal profile B.

 

Basically we would like to limit access for Non-domain joined PCs.

 

I have configured a host check to perform registry key check for the domain name which is working fine, however if the same user tries to connect from a non-domain joined PC, it does not connect them at all. I would like them to be able to connect, but have limited access and a different IP address.

5 REPLIES 5
ChrisTan
Staff
Staff

Does a realm + portal help in your case? If with no-domain PC, try https://wanip/byod  byod is your new realm that also matches LDAP user but no registry key check. The new portal  can help to achieve limited access and a different IP address.

ChrisTan
kkoshan

Thanks for the quick response Chris. Anything would help. Can you guide me through a Knowledge base which I can use to ahcieve this?

kkoshan

BTW, one of the requirement is for both domain joned and non-domain joined users to use FortiClient to connect to the VPN. Our current configuration allows Forticlient users if they are joined to the domain and BYOD users use web portal, then that is also working, but we want both users to use FortiClient and host check differentiates between company PC and BYOD 

ChrisTan
Staff
Staff

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/724772/ssl-vpn-multi-realm

This is the realm config example.

The purpose of the realm here is to allow user login from different channels. You can apply with different portals that match different host check, for example, 'domain' portal with domain host registry check and 'BYOD' portal with MAC address check, as well as a different IP address pool.

ChrisTan
kkoshan

Thanks Chris, we want the URL to not change. Both machines should be able to connect to VPN and use the same URL.

 

So, I want the host check to check if the registery key is present, if yes then give the user Profile Domain, if not then give the user Profile BYOD