I have an issue where we would like to prevent people from installing the SSLVPN client on their home computers and gaining access through to our systems in tunnel mode.
What I would like to do is to configure the SSLVPN to carry out a “RegKey Check” for a “arbitrary custom string” which you place in your registry and you would need to not only have the software installed but the key would need to match a predefined string otherwise deny your request to login.
Has anyone achieved this at all?
Kind Regards
Blacktip
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I thin you need to implement PKI.
In this case your clients should have valid certificates in their browsers or in a token.
Another solution is using FortiToken.
After entering correct user and pass, user must enter OTP (one time password) that can be generated with FortiToken.
Using email and sms is the same as implementing two factor authentication with FortiToken.So users will receive OTP through email or sms.
Thanks for your quick reply.
We do have a PKI infrastructure but I know when a previous colleague was working on the PoC (and he’s now left and didn’t document anything), there were issues in getting this working properly. I don’t know what these issues were and information from him now is not forthcoming and normally equates to no more than have you tried a reboot!!!
We don’t want to go down the route of the FortiToken as we already use a 2FFA mechanism through SafeNet which provides an OTP and we don’t want the additional cost.
Blacktip
Hi,
You can use the "host-check" function for this.
When the client connects to the firewall, the firewall sends out a check to the VPN client to look for:
1. Registry string
2. A file on your computer
3. A running process.
4. If you have a firewall software
5. If you have a antivirus software
So for your problem, use option 1,
config vpn ssl web host-check-software
edit <a name>
config check-item-list
edit 0
set type registry
set target <your registry string>
end
end
(be sure to type "get" and see all available options)
Then associate this policy with your SSL VPN portal.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Fantastic. This seems exactly like what I'm looking for.
Is the <your registry string> in your example in the format of:
"HKEY_LOCAL_MACHINE\SOFTWARE\Custom_Org_Hive\String_You_Want_To_Check_For"
Correct!
Here is a reference:
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Many thanks for your help here. Its much appreciated.
No problem! ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
I have managed to start testing this today and I've done a new portal etc... and have configured the information, but I cant see where you associate the regkey check policy against the SSL VPN Portal. Has this moved in 5.2.1?
config vpn ssl web portal
edit <tunnel>
set host-check custom
set host-check-policy <profile>
end
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.