Hello, I'm looking for some best practice/guidance on opening our fortiauthenticator to the internet so our remote users can utilize their fortitokens at home more easily as we occasionally have issues with offline tokens.
Is it really as simple as creating a public dns entry and then creating a VIP on the FortiGate firewall followed by a policy that allows that traffic to the fortiauthenticator via port 443? Do I need a certificate from a trusted root CA on the internet to do this setup for those at home users? I see there is a checkbox to "Verify Server Certificate" so that's why I ask. I believe that should add an additional layer of protection by checking that box, correct?
I like doing the dns entry as I can then create a new zone in my internal AD environment for my internal users to point to the same DNS entry, so it works both internally and externally seamlessly.
Are there any cookbook articles that talk about this to ensure it is completely secure? Just looking to avoid any issues opening it up to the internet, even if only on 443.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.