Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zkonrad001
New Contributor

FortiClient VPN Allow Domain PC's Only

There may already be a post about this but I could not find it.

We have Fortigate Firewalls and use the FortiClient VPN to work from home.

We actually have a few users that connect to the VPN from home, on their personal computers, and then remote into their work desktops.  We are finally getting laptops for these people, but it made me think, whats stopping them from installing FortiClient V7 from the internet and using our work credentials?  The users that "can" connect to the VPN do have to be in a security group.   But they could technically connect to our network with any device.  Huge security risk, I know.

 

Is there a way to use \\Active Directory\Security Groups or something that we can allow only certain devices to connect to the VPN.  Right now all we have is a Security Group that you have to be in to connect to the VPN.  But if you're in that group, whats stopping you from connecting with any device you have or buy or find or........

2 REPLIES 2
kcheng
Staff
Staff

Hi @zkonrad001 

 

You can control the access to your SSLVPN via the following options:

1. SSLVPN MAC address host check (require FortiClient EMS for 6.2.x and above)

2. ZTNA rule to control access to your internal network (require FortiClient EMS)

3. Configuring custom hostcheck to verify the domain name of the host (require FortiClient EMS for 6.2.x and above)

 

Option 1 would be tedious if you have a lot of machines that connects via SSLVPN. ZTNA would allow you to centrally manage all your FortiClient and assigning machines with tags on whether they are compliant to connect to the network. You may refer to the following documents for both options:

1. SSLVPN MAC Host Check:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-client-MAC-binding-supported-platf...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337?exte...

 

2. ZTNA rule:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/78050/migrating-from-ssl-vpn...

 

3. Configuring custom host check:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Checking-AD-domain-of-host-connecting-to-a...

 

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
AEK
Honored Contributor

You need FortiClient EMS, otherwise simply use client certificates.

AEK
AEK
Labels
Top Kudoed Authors