Hello, I'm looking for some best practice/guidance on opening our fortiauthenticator to the internet so our remote users can utilize their fortitokens at home more easily as we occasionally have issues with offline tokens.
Is it really as simple as creating a public dns entry and then creating a VIP on the FortiGate firewall followed by a policy that allows that traffic to the fortiauthenticator via port 443? Do I need a certificate from a trusted root CA on the internet to do this setup for those at home users? I see there is a checkbox to "Verify Server Certificate" so that's why I ask. I believe that should add an additional layer of protection by checking that box, correct?
I like doing the dns entry as I can then create a new zone in my internal AD environment for my internal users to point to the same DNS entry, so it works both internally and externally seamlessly.
Are there any cookbook articles that talk about this to ensure it is completely secure? Just looking to avoid any issues opening it up to the internet, even if only on 443.
Thanks in advance, I do appreciate it.
Solved! Go to Solution.
Yep it's that simple and yep definitely get a certificate.
HEre's documentation showing ports required:
I mean yeah it's just a web server so do what you would normally do to open up access to a web server.
Yep it's that simple and yep definitely get a certificate.
HEre's documentation showing ports required:
I mean yeah it's just a web server so do what you would normally do to open up access to a web server.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.