Hi.
Got some Q about forticlient EMS.
We are using windows allways on vpn right now (not my choise) and would like Forticlient because of the VPN and ZTNA thing.
So can the Forticlient vpn in IPSEC mode use the computer certificate before login so the user can reset password (with a policies only allowing the things needed for that) and when the user logs in uses the user certificate to get more access? mayby with the ztna tags? like EAP-TEAP where you have the outher and inner methode.
if yes, does the client reset the first ipsec tunnel og makes another for the "inner" methode?
if its possible, then ill proberly make the samme setup from the outside and inside, so we are full ztna.
I'm about to do a poc so i can test it, done a lot of traditional ssl vpn remote access on fortigates, but would like the advance mode this time and ipsec other than ssl.
We got about 2200 clients and a 900g so the FGT can handle 50k ipsec tunnels.
Morten
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Mortin
I think you are looking for IPsec pre-login.
Hi Mortin,
ZTAN or full ZTNA you can use Access proxy or TCP forward proxy which also use certificate-based Authentication were you might not even required to connect via ipsec and enable the tagging.
@atfbooru wrote:Hi.
Got some Q about forticlient EMS.
We are using windows allways on vpn right now (not my choise) and would like Forticlient because of the VPN and ZTNA thing.
So can the Forticlient vpn in IPSEC mode use the computer certificate before login so the user can reset password (with a policies only allowing the things needed for that) and when the user logs in uses the user certificate to get more access? mayby with the ztna tags? like EAP-TEAP where you have the outher and inner methode.
if yes, does the client reset the first ipsec tunnel og makes another for the "inner" methode?
if its possible, then ill proberly make the samme setup from the outside and inside, so we are full ztna.
I'm about to do a poc so i can test it, done a lot of traditional ssl vpn remote access on fortigates, but would like the advance mode this time and ipsec other than ssl.
We got about 2200 clients and a 900g so the FGT can handle 50k ipsec tunnels.
Morten
Yes, FortiClient in IPsec mode can use a computer certificate for pre-login access, allowing password resets. Upon user login, it can switch to a user certificate for enhanced access, potentially utilizing ZTNA tags. The client may establish a new tunnel for this purpose. Testing this setup in your POC is a great idea!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.