Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mirza_Asad2723
New Contributor II

Created on ‎07-26-2024 04:31 AM

The SSLVPN connection does not establish when I configure a policy in Active Directory that restrict

Dear Concern,

 

We have Active Directory Domain environment & all workstations are joined with AD.
Fortigagte is acting as centralized firewall + SSL VPN Server & our users using Fortclient SSL VPN client to connect with our office from remote locations to access shared resources. Fortigate is configured with AD Domain SSO so that remote users can connect using same ID/PASSWORD for vpn (which they uses for windows login) . SSO is used for VPN because we have large number of users & we donot want to create local users in Fortigate local users to avoid overhead management & centralized management.

Recently we added some Logon Secruity in AD users that user can “Logon to specific workstation” only. like user A can LOG ON to computer A only & likewise for all. This restriction part is working fine on local network, but now the user cannot logon to VPN (work from home dueto Logon to specific workstation) restriction.

What is the workaround ? 

Labels:
547
0 Kudos
4 REPLIES 4
slovepreet
Staff
Staff

Created on ‎07-26-2024 05:38 AM

@Mirza_Asad2723 

 

This depends upon what specific perimeter you have defined to restrict the access. The fact that you are saying that it's connected on-prem seems like you have restricted access while they are in the domain and then they are able to log in.  If that is the case you have to use EMS, take a look into this article https://docs.fortinet.com/document/forticlient/7.4.0/administration-guide/479513/activating-vpn-befo...

 

I hope this helps.

Lovepreet
527
Shashwati
Staff
Staff

Created on ‎07-26-2024 07:14 AM

As workaround you can create a separate user group for SSL VPN on your Active directory and allow them access and user that user group on Firewall for SSL VPN configuration 

https://community.fortinet.com/t5/Blogs/Deploying-SSL-VPNs-Using-Multiple-Realms/ba-p/238145

512
ebilcari
Staff
Staff

Created on ‎07-26-2024 07:42 AM

I don't know what type of restriction you have applied but usually those restrictions are sent to the domain through GPO while the VPN authentication most probably uses LDAP. LDAP authentication should not be affected by GPO restrictions.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
503
ebilcari
Staff
Staff
In response to ebilcari

Created on ‎07-26-2024 08:12 AM

I got curios about this :) and it seems that the common configuration used for this restriction is by using the "Log On To" (not related to GPO). As tested this actually affects the LDAP authentications.

As seen in my case at least (LDAPS configured in FGT), the LDAP login requests are coming as sourced by the DC itself and failing.

event viewer.PNG

After adding the DC in the list of the Computers the LDAP is successful:

logonto.PNG

Now the LDAP authentication are succeeding from the FGT:

success.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
497
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.