Is it possible to authenticate the device along with the user when connecting to an SSL VPN using the free Forticlient VPN only app? Currently using Azure saml w/ MFA. We'd like to prevent users from trying to sign in with their personal devices.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, it is possible to authenticate the device along with the user when connecting to an SSL VPN using the free Forticlient VPN only app. This can be achieved by enabling a feature called "Endpoint Control" in your FortiGate SSL VPN configuration.
With Endpoint Control enabled, the FortiGate VPN gateway will perform a device compliance check before allowing a user to connect to the VPN. This check can include verifying that the device has certain software installed, checking for the presence of security updates, and ensuring that the device meets other policy requirements.
To configure Endpoint Control, you will need to:
By using Endpoint Control, you can prevent users from connecting to the VPN with unapproved or personal devices, helping to secure your network and data. último resultado de Astro luna
User Initiates VPN Connection: A user attempts to establish a VPN connection from their device (e.g., laptop, smartphone) to a remote network or server using SSL VPN.
Client-Side Certificate: During the initial connection attempt, the VPN client on the user's device presents a client-side certificate. This certificate is typically pre-installed on the user's device and is used for authentication.
Server Authentication: The SSL VPN server verifies the authenticity of the client-side certificate. This verification ensures that the certificate presented by the connecting device is legitimate and has not been tampered with.
Device Identity Check: The server checks if the certificate matches a list of trusted certificates or certificate authorities (CAs). If the certificate is trusted and valid, the server proceeds with the connection.
User Credentials: In addition to device authentication, the user may also be required to provide their username and password for further authentication. This dual authentication method (device and user) enhances security.
Secure Tunnel Establishment: Once the client-side certificate and user credentials (if required) are validated, a secure SSL VPN tunnel is established between the user's device and the VPN server.
Access Control: Access control policies are applied to determine what network resources and services the user/device can access within the VPN network. These policies are typically based on user roles, groups, or device types.
Encrypted Communication: All data transmitted between the user's device and the VPN server is encrypted, ensuring the confidentiality and integrity of the communication. Technology
You can also use mac address check to make sure only approved devices are allowed to connect to ssl vpn.
Here is more information on how to configure that:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-address-check-on-SSL-VPN-connections/t...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1677 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.