Is it possible...without EMS to be able to apply specific policies based on whether or not a client PC is domain attached? We have a 201F setup with SSL VPN access and basic policies in place to access internal resources. We're using the free FortiClient VPN-only and don't have EMS. However, it would be GREAT to be able to do something like...IF the client is domain-joined to our on-prem AD, then allow it full access. IF the client is NOT domain joined, limit to RDP.
I think you are looking for FSSO. This allows you to create policies based on domain users that are logged on domain-joined clients.
If this is what you need then you can start here:
https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/450337/fsso
I do have SSO setup. Using that to authenticate users. All users have AD accounts. We do allow users to have the VPN client on their personal computers. These are the ones that I want to limit to RDP. So, basically I can have SSO check if the computer is domain joined or not?
I don't think FSSO works on PC that is not part of a domain. I mean a user can only open an AD session on a domain joined computer, otherwise it is not an AD session and so it can't be FSSO.
You can check for specific windows registry ( on the ssl settings ) - most of the domain joined PCs have specific registry with domain as value.
config vpn ssl web host-check-software
edit "test-registry"
# config check-item-list
edit 1
set target HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.