Hello,
How can I prevent users who are not in the domain from making SSL VPN connections in FortiEMS?"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
You can use EMS tags (as source) in the related firewall policy.
Actually this will allow them connect to SSL-VPN, nevertheless they will be denied from any traffic.
Hello, thank you very much for your response. Do you have any documentation about this configuration? I couldn't imagine it clearly. I am using EMS on the endpoint side. Regards."
Hello @N_W ,
You can use the zero trust tag in your remote access profile on FortiClientEMS. If the client has a related tag, you can allow this client to connect to vpn. If not client can't connect to vpn.
For example, as per your request, you can create Zero trust tag like this.
After that, you can use this tag in the Remote Access profile.
You can find more information in these links about creating zero-trust tags and using zero-trust tags to allow/block clients according to zero-trust tags.
Hello, thank you very much for your support and assistance
Hello, I did as you said, but users who are not in the domain were able to connect. Can I prohibit others except for those in the domain from connecting? Thank you
Hello @N_W ,
Can you check this area? Which option was selected in your profile? It should be "Allow".
Additionally, can you check your client tag status in Zero Trust Tag monitor menu? Is all client got their tag?
Hello, Yes, I defined the access to the domain as 'xsirket.com' under the Zero Trust tagging rules. Subsequently, I also saw other users under the 'tag monitor' section. In the 'Remote Access' section, I allowed 'domain-users' through the SSL VPN tunnel edit option. When I checked the logs, I noticed that users with this tag were able to connect, even those not included in the domain. Despite seeing 'unregistered' in the logs, non-domain PCs were still able to establish an SSL VPN connection. Thank you.
Hello @N_W ,
Are all clients connecting to SSL-VPN (especially those not included in the domain) managed by FortiClientEMS?
If they are not managed, you cannot prevent them from connecting, but only after they are connected can you block them from accessing company resources with policy.
Or If you want only users registered with EMS to be able to connect to VPN, you can check the client serial number on Fortigate.
Hello, Actually, what I want to do is, if the devices I can't manage are not in the domain, they won't be able to do SSL VPN. In that case, I'll need to individually add the serial numbers of the devices I want to enable SSL VPN. Thank you for your interest and attention.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.