- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN client policies without EMS
Is it possible...without EMS to be able to apply specific policies based on whether or not a client PC is domain attached? We have a 201F setup with SSL VPN access and basic policies in place to access internal resources. We're using the free FortiClient VPN-only and don't have EMS. However, it would be GREAT to be able to do something like...IF the client is domain-joined to our on-prem AD, then allow it full access. IF the client is NOT domain joined, limit to RDP.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you are looking for FSSO. This allows you to create policies based on domain users that are logged on domain-joined clients.
If this is what you need then you can start here:
https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/450337/fsso
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have SSO setup. Using that to authenticate users. All users have AD accounts. We do allow users to have the VPN client on their personal computers. These are the ones that I want to limit to RDP. So, basically I can have SSO check if the computer is domain joined or not?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think FSSO works on PC that is not part of a domain. I mean a user can only open an AD session on a domain joined computer, otherwise it is not an AD session and so it can't be FSSO.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can check for specific windows registry ( on the ssl settings ) - most of the domain joined PCs have specific registry with domain as value.
config vpn ssl web host-check-software
edit "test-registry"
# config check-item-list
edit 1
set target HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\
