Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
random_guy
New Contributor III

SSL VPN Device Auth?

Is it possible to authenticate the device along with the user when connecting to an SSL VPN using the free Forticlient VPN only app? Currently using Azure saml w/ MFA. We'd like to prevent users from trying to sign in with their personal devices.

 

Thanks

3 REPLIES 3
Astroluna
New Contributor

Yes, it is possible to authenticate the device along with the user when connecting to an SSL VPN using the free Forticlient VPN only app. This can be achieved by enabling a feature called "Endpoint Control" in your FortiGate SSL VPN configuration.

With Endpoint Control enabled, the FortiGate VPN gateway will perform a device compliance check before allowing a user to connect to the VPN. This check can include verifying that the device has certain software installed, checking for the presence of security updates, and ensuring that the device meets other policy requirements.

To configure Endpoint Control, you will need to:

  1. Enable Endpoint Control on your FortiGate SSL VPN gateway.
  2. Define a compliance profile that specifies the requirements for devices connecting to the VPN.
  3. Configure FortiClient VPN only app to connect to your SSL VPN gateway with Azure SAML authentication and MFA.
  4. Test the configuration to ensure that only compliant devices can connect to the VPN.

By using Endpoint Control, you can prevent users from connecting to the VPN with unapproved or personal devices, helping to secure your network and data. último resultado de Astro luna

 

 

 

Astroluna resultado
Astroluna resultado
alexkhan
New Contributor

  1. User Initiates VPN Connection: A user attempts to establish a VPN connection from their device (e.g., laptop, smartphone) to a remote network or server using SSL VPN.

  2. Client-Side Certificate: During the initial connection attempt, the VPN client on the user's device presents a client-side certificate. This certificate is typically pre-installed on the user's device and is used for authentication.

  3. Server Authentication: The SSL VPN server verifies the authenticity of the client-side certificate. This verification ensures that the certificate presented by the connecting device is legitimate and has not been tampered with.

  4. Device Identity Check: The server checks if the certificate matches a list of trusted certificates or certificate authorities (CAs). If the certificate is trusted and valid, the server proceeds with the connection.

  5. User Credentials: In addition to device authentication, the user may also be required to provide their username and password for further authentication. This dual authentication method (device and user) enhances security.

  6. Secure Tunnel Establishment: Once the client-side certificate and user credentials (if required) are validated, a secure SSL VPN tunnel is established between the user's device and the VPN server.

  7. Access Control: Access control policies are applied to determine what network resources and services the user/device can access within the VPN network. These policies are typically based on user roles, groups, or device types.

  8. Encrypted Communication: All data transmitted between the user's device and the VPN server is encrypted, ensuring the confidentiality and integrity of the communication. Technology 

vbandha
Staff
Staff

You can also use mac address check to make sure only approved devices are allowed to connect to ssl vpn.
Here is more information on how to configure that:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-address-check-on-SSL-VPN-connections/t...

Top Kudoed Authors