Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JP57
New Contributor II

SSL VPN client policies without EMS

Is it possible...without EMS to be able to apply specific policies based on whether or not a client PC is domain attached?  We have a 201F setup with SSL VPN access and basic policies in place to access internal resources.  We're using the free FortiClient VPN-only and don't have EMS.  However, it would be GREAT to be able to do something like...IF the client is domain-joined to our on-prem AD, then allow it full access.  IF the client is NOT domain joined, limit to RDP.

4 REPLIES 4
AEK
SuperUser
SuperUser

I think you are looking for FSSO. This allows you to create policies based on domain users that are logged on domain-joined clients.

If this is what you need then you can start here:

https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/450337/fsso

AEK
AEK
JP57
New Contributor II

I do have SSO setup.  Using that to authenticate users.  All users have AD accounts.  We do allow users to have the VPN client on their personal computers.  These are the ones that I want to limit to RDP.  So, basically I can have SSO check if the computer is domain joined or not?  

AEK

I don't think FSSO works on PC that is not part of a domain. I mean a user can only open an AD session on a domain joined computer, otherwise it is not an AD session and so it can't be FSSO.

AEK
AEK
gllgeorgiev1
New Contributor II

You can check for specific windows registry ( on the ssl settings )  - most of the domain joined PCs have specific registry with domain as value.

config vpn ssl web host-check-software
edit "test-registry"
# config check-item-list
edit 1
set target HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors