Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
N_W
New Contributor II

Created on ‎03-18-2024 10:05 AM

For EMS users in the domain.

Hello,

How can I prevent users who are not in the domain from making SSL VPN connections in FortiEMS?"

 

Labels:
686
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎03-18-2024 10:14 AM

Hi

You can use EMS tags (as source) in the related firewall policy.

Actually this will allow them connect to SSL-VPN, nevertheless they will be denied from any traffic.

AEK
AEK
578
N_W
New Contributor II
In response to AEK

Created on ‎03-18-2024 10:59 AM

Hello, thank you very much for your response. Do you have any documentation about this configuration? I couldn't imagine it clearly. I am using EMS on the endpoint side. Regards."

566
0 Kudos
ozkanaltas
Contributor III

Created on ‎03-18-2024 11:22 AM

Hello @N_W ,

 

 


You can use the zero trust tag in your remote access profile on FortiClientEMS. If the client has a related tag, you can allow this client to connect to vpn. If not client can't connect to vpn.

 

For example, as per your request, you can create Zero trust tag like this.

image.png

 

After that, you can use this tag in the Remote Access profile.

 

image.png


You can find more information in these links about creating zero-trust tags and using zero-trust tags to allow/block clients according to zero-trust tags.

 
https://docs.fortinet.com/document/forticlient/7.2.4/ems-administration-guide/142/adding-a-zero-trus...

 

https://docs.fortinet.com/document/forticlient/7.2.4/ems-administration-guide/701440/configuring-a-p...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
555
N_W
New Contributor II
In response to ozkanaltas

Created on ‎03-18-2024 11:46 AM

Hello, thank you very much for your support and assistance

553
0 Kudos
N_W
New Contributor II

Created on ‎03-19-2024 01:13 AM

Hello, I did as you said, but users who are not in the domain were able to connect. Can I prohibit others except for those in the domain from connecting? Thank you 

521
0 Kudos
ozkanaltas
Contributor III
In response to N_W

Created on ‎03-19-2024 01:27 AM

Hello @N_W ,

 

Can you check this area? Which option was selected in your profile? It should be "Allow".

 

Additionally,  can you check your client tag status in Zero Trust Tag monitor menu? Is all client got their tag? 

 

 image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
518
N_W
New Contributor II

Created on ‎03-19-2024 01:34 AM

Hello, Yes, I defined the access to the domain as 'xsirket.com' under the Zero Trust tagging rules. Subsequently, I also saw other users under the 'tag monitor' section. In the 'Remote Access' section, I allowed 'domain-users' through the SSL VPN tunnel edit option. When I checked the logs, I noticed that users with this tag were able to connect, even those not included in the domain. Despite seeing 'unregistered' in the logs, non-domain PCs were still able to establish an SSL VPN connection. Thank you.domain-users.PNGtag-monitor.PNGzero-trust.PNG

516
0 Kudos
ozkanaltas
Contributor III
In response to N_W

Created on ‎03-19-2024 02:26 AM

Hello @N_W ,

 

Are all clients connecting to SSL-VPN (especially those not included in the domain) managed by FortiClientEMS? 

 

If they are not managed, you cannot prevent them from connecting, but only after they are connected can you block them from accessing company resources with policy.

 

Or If you want only users registered with EMS to be able to connect to VPN, you can check the client serial number on Fortigate.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/710480/enhancing-vpn-securit...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
489
N_W
New Contributor II

Created on ‎03-19-2024 03:00 AM

Hello, Actually, what I want to do is, if the devices I can't manage are not in the domain, they won't be able to do SSL VPN. In that case, I'll need to individually add the serial numbers of the devices I want to enable SSL VPN. Thank you for your interest and attention.

482
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.