I have an issue where we would like to prevent people from installing the SSLVPN client on their home computers and gaining access through to our systems in tunnel mode.
What I would like to do is to configure the SSLVPN to carry out a “RegKey Check” for a “arbitrary custom string” which you place in your registry and you would need to not only have the software installed but the key would need to match a predefined string otherwise deny your request to login.
Has anyone achieved this at all?
Kind Regards
Blacktip
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hmmm
I managed to apply the host-check-policy to the SSLweb portal but I now seem to get an error with blah blah blah (-7006) which is a host does not meet the requirement. Either my syntax is incorrect or the firewall cant read the regkey even though I've made the key readable to everyone.
Grrr
This is getting interesting now. I configured the Host Checking part as below:-
config vpn ssl web host-check-software edit RegKeyCheck config check-item-list edit 1 set action require set type registry set target "HKLM\SOFTWARE\ABC\RegKeyCheck\C7764C78" end end
Then I assigned this Host Checking Policy to the Web Portal:-
config vpn ssl web portal edit "Managed_Device" set host-check custom set host-check-policy RegKeyCheck end
I created the RegKey in question on the client device and made this readable to everyone.
I then ran the Process Monitor to have a look at what RegKeys were being called.
Made the connection with the client again.
Connection failed with error message:-
Warning
Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface. (-7006)
When I then look at the Process Monitor, I can see that the FortiClient.exe made a RegOpenKey operation and looked for a path of HKLM\SOFTWARE\ABC\RegKeyCheck\C7764C78 with a Result of NAME NOT FOUND and a detail of Desired Access: Query Value.
OK this feature does not behave as you would expect it to but I do have this working now.
When you create the regkey on the laptop such as following example:-
HKLM\SOFTWARE\ABC\RegkeyCheck\123456
You need to configure the vpn ssl web host-check-software to:-
set target "HKLM\SOFTWARE\ABC" and NOT "HKLM\SOFTWARE\ABC\RegkeyCheck\123456" or "HKLM\SOFTWARE\ABC\RegkeyCheck".
As long as you have something in that hive (RegKeyCheck) then it will work. It does not check for the RegKeyCheck field itself per say or the value of that filed, its just a simple "Does the path exist" query only.
You can use "reg query" to show how you cant/can see the result. See below:-
A failed query:-
C:\>reg query HKLM\SOFTWARE\ABC\RegKeyCheck\
ERROR: The system was unable to find the specified registry key or value.
C:\>
A working query:-
C:\>reg query HKLM\SOFTWARE\ABC\
HKEY_LOCAL_MACHINE\SOFTWARE\ABC RegKeyCheck REG_SZ 123456
C:\>
Really annoying.
Hi
Im looking for a similiar function.
if the regkey not exist on the connecting pc, is it then possible to redirect that user/pc to specific policy that allow the user only to run rdp to the user own office computer.
If the user use his domain joined laptop computer it should have full access but if using home computers only access as describe as above.
rofo
The match is a policy to say required (default behaviour) or deny. There is no "alternate action" for the matching statement.
Tanx for the answer blacktip.
can I instead set up a webportal with different wan ip and let the home working user connect his forticlient to that ip and set up set up an other sslvpn tunnel address for that portal?
FYI.. you can check for specific reg key and value. I use it to ensure the computer is joined to the domain xxx.com
For BlackTips example it would be
"HKLM\SOFTWARE\ABC:RegKeyCheck==123456"
To check if computer is joined to domain xxx.com
"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:Domain==xxx.com"
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Can any one tell me how host check is working. background funtionality?
Like fortinet first send the host check policy. then it will be received by browser where user has logged in .
then policy package will be installed in PC.
I am asking because we will not confiugure these policy in PC but only in fortigate so how PC will provide information
One more question. I haven't seen any where in fortinet documents that we require fortinet client software or not if we enable host check.
can we use this in tunnel mode or in web mode only ?
I don't know when i will get revert for this.but it was urgent so please revert early if possible.
FortiClient must be the VPN software as it's what checks and replies to the lookup.
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.