Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SkeletonManGabe
New Contributor III

Open FortiAuthenticator to the Internet

Hello, I'm looking for some best practice/guidance on opening our fortiauthenticator to the internet so our remote users can utilize their fortitokens at home more easily as we occasionally have issues with offline tokens. 

 

Is it really as simple as creating a public dns entry and then creating a VIP on the FortiGate firewall followed by a policy that allows that traffic to the fortiauthenticator via port 443? Do I need a certificate from a trusted root CA on the internet to do this setup for those at home users? I see there is a checkbox to "Verify Server Certificate" so that's why I ask. I believe that should add an additional layer of protection by checking that box, correct?

 

I like doing the dns entry as I can then create a new zone in my internal AD environment for my internal users to point to the same DNS entry, so it works both internally and externally seamlessly.

 

Are there any cookbook articles that talk about this to ensure it is completely secure? Just looking to avoid any issues opening it up to the internet, even if only on 443. 

 

Thanks in advance, I do appreciate it.

1 Solution
gfleming
Staff
Staff

Yep it's that simple and yep definitely get a certificate.

 

HEre's documentation showing ports required: 

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/fortiauthenticator-ports/940947/incoming...

 

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/858763/adding-a-fortitoken-to-t...

 

I mean yeah it's just a web server so do what you would normally do to open up access to a web server.

Cheers,
Graham

View solution in original post

1 REPLY 1
gfleming
Staff
Staff

Yep it's that simple and yep definitely get a certificate.

 

HEre's documentation showing ports required: 

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/fortiauthenticator-ports/940947/incoming...

 

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/858763/adding-a-fortitoken-to-t...

 

I mean yeah it's just a web server so do what you would normally do to open up access to a web server.

Cheers,
Graham
Labels
Top Kudoed Authors