Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
N_W
New Contributor II

For EMS users in the domain.

Hello,

How can I prevent users who are not in the domain from making SSL VPN connections in FortiEMS?"

 

10 REPLIES 10
AEK
SuperUser
SuperUser

Hi

You can use EMS tags (as source) in the related firewall policy.

Actually this will allow them connect to SSL-VPN, nevertheless they will be denied from any traffic.

AEK
AEK
N_W
New Contributor II

Hello, thank you very much for your response. Do you have any documentation about this configuration? I couldn't imagine it clearly. I am using EMS on the endpoint side. Regards."

ozkanaltas
Valued Contributor II

Hello @N_W ,

 

 


You can use the zero trust tag in your remote access profile on FortiClientEMS. If the client has a related tag, you can allow this client to connect to vpn. If not client can't connect to vpn.

 

For example, as per your request, you can create Zero trust tag like this.

image.png

 

After that, you can use this tag in the Remote Access profile.

 

image.png


You can find more information in these links about creating zero-trust tags and using zero-trust tags to allow/block clients according to zero-trust tags.

 
https://docs.fortinet.com/document/forticlient/7.2.4/ems-administration-guide/142/adding-a-zero-trus...

 

https://docs.fortinet.com/document/forticlient/7.2.4/ems-administration-guide/701440/configuring-a-p...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
N_W
New Contributor II

Hello, thank you very much for your support and assistance

N_W
New Contributor II

Hello, I did as you said, but users who are not in the domain were able to connect. Can I prohibit others except for those in the domain from connecting? Thank you 

ozkanaltas
Valued Contributor II

Hello @N_W ,

 

Can you check this area? Which option was selected in your profile? It should be "Allow".

 

Additionally,  can you check your client tag status in Zero Trust Tag monitor menu? Is all client got their tag? 

 

 image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
N_W
New Contributor II

Hello, Yes, I defined the access to the domain as 'xsirket.com' under the Zero Trust tagging rules. Subsequently, I also saw other users under the 'tag monitor' section. In the 'Remote Access' section, I allowed 'domain-users' through the SSL VPN tunnel edit option. When I checked the logs, I noticed that users with this tag were able to connect, even those not included in the domain. Despite seeing 'unregistered' in the logs, non-domain PCs were still able to establish an SSL VPN connection. Thank you.domain-users.PNGtag-monitor.PNGzero-trust.PNG

ozkanaltas
Valued Contributor II

Hello @N_W ,

 

Are all clients connecting to SSL-VPN (especially those not included in the domain) managed by FortiClientEMS? 

 

If they are not managed, you cannot prevent them from connecting, but only after they are connected can you block them from accessing company resources with policy.

 

Or If you want only users registered with EMS to be able to connect to VPN, you can check the client serial number on Fortigate.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/710480/enhancing-vpn-securit...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
N_W
New Contributor II

Hello, Actually, what I want to do is, if the devices I can't manage are not in the domain, they won't be able to do SSL VPN. In that case, I'll need to individually add the serial numbers of the devices I want to enable SSL VPN. Thank you for your interest and attention.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors