Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mumbles202
New Contributor II

Remote Access VPN based on AD group membership

I'm trying to setup a 200F so that multiple AD groups can connect to the site using FortiClient (IPsec not SSL) for VPN access. Group1 should be allowed to a subset of ips, group2 a different set of ips, etc. Should I just create the groups on the FGT and then make multiple rules from the VPN zone to LAN and just call the respective group in the source for each 1? Or will that match all users regardless since they will have the same source up(from the DHCP pool)? 

3 REPLIES 3
gfleming
Staff
Staff

You can do it both ways. Have a different VPN portal with unique IP Pool for users based on different AD group membership. Or, put everyone in the same portal with the same IP Pool and use Firewall Policies to restrict access using AD group membership.

 

On a Firewall Policy if you define two rules each with the same source and dest IP but different source user groups, then you will only match the policy that has the correct user.

 

Then, create different portals for each respective group with the relevant restrictions in place.

Cheers,
Graham
mumbles202
New Contributor II

Thanks for the reply. This is for IPsec so are different portals an option? I know for SSL I would have more options but not going that route yet. 

Vichu_94
Staff
Staff

Hi 

For Ipsec tunnel, you could configure inherit from policy  on the ipsec phase 1 of the firewall 

Vichu_94_0-1663155549481.png


Then you could configure the required firewall policy with groups for each policy. 
When users connect to the VPN, the user would be able to access the required resources based on the firewall policy 

Regards

Vishal P
Labels
Top Kudoed Authors