SSL VPN client policies without EMS

JP57 · ‎01-30-2024

Is it possible...without EMS to be able to apply specific policies based on whether or not a client PC is domain attached? We have a 201F setup with SSL VPN access and basic policies in place to access internal resources. We're using the free FortiClient VPN-only and don't have EMS. However, it would be GREAT to be able to do something like...IF the client is domain-joined to our on-prem AD, then allow it full access. IF the client is NOT domain joined, limit to RDP.

AEK · ‎01-30-2024

I think you are looking for FSSO. This allows you to create policies based on domain users that are logged on domain-joined clients.

If this is what you need then you can start here:

https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/450337/fsso

AEK

JP57 · ‎01-30-2024

I do have SSO setup. Using that to authenticate users. All users have AD accounts. We do allow users to have the VPN client on their personal computers. These are the ones that I want to limit to RDP. So, basically I can have SSO check if the computer is domain joined or not?

AEK · ‎01-30-2024

I don't think FSSO works on PC that is not part of a domain. I mean a user can only open an AD session on a domain joined computer, otherwise it is not an AD session and so it can't be FSSO.

AEK

gllgeorgiev1 · ‎05-21-2024

You can check for specific windows registry ( on the ssl settings ) - most of the domain joined PCs have specific registry with domain as value.

config vpn ssl web host-check-software
edit "test-registry"
# config check-item-list
edit 1
set target HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\

SSL VPN client policies without EMS

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website