First, I did see this article but some of those settings aren’t there in the FortiClient and I am also on FortiOS 7.2.2 right now. The FortiClient settings menu doesn’t have anything about Windows logon and running that command in elevated cmd didn’t help.
I’m setting up SSL-VPN for LDAP users. I’m still setting up and testing but I do have it working now and was able to authenticate to the VPN using my domain credentials.
Next thing I am trying to do is set this up so users are able to connect to the VPN before they log into the Windows 10 laptop - reason being, the laptops are domain joined but for remote use. So ideally, they first connect to the VPN, then log into Windows with their AD creds and then are on the company network. BTW I am using full tunnel mode.
I do not yet know what “FCT” and “SBL” refer to. I am using the VPN-only version of the FortiClient - "FortiClient VPN - The VPN-only version of FortiClient offers SSL VPN and IPSecVPN, but does not include any support. Download the best VPN software for multiple devices. "
I just tried this but it’s not working. I exported the backup, then found the show_vpn_before_logon and changed 0 to 1, then rebooted. I saw the new entries in the registry where you mentioned, and vpn_before_logon_enabled key was set to 1 but the enabled key was 0. I rebooted again and didn’t see any VPN options before login. Then I changed the enabled key to 1, rebooted, still nothing. Is there anything else I should try or what am I missing?
Also, I know this is just a work-around since the auto-updater will likely update the client to a new version and I would assume that could remove the manually enabled functionality.
First, can you expand on the grief you mentioned? Like what are the biggest issues of doing it this way?
Second, I hear you, I do. This comment strikes a cord with me because I am uncomfortable setting up VPN with LDAP sing-in on a domain-joined laptop used for remote purposes. It doesn’t seem ideal. Unfortunately, management is pushing me to test and use VPN as apposed to our primary remote method (Citrix Cloud), so I have no choice for now. It 's just in testing phase but I do have a few users on it for real. I am using MFA though, so that’s a plus.
Also, these endpoints are actually Azure hybrid joined since we have local AD and AAD Hybrid setup, pass-hash and with no write-back enabled. The thing is, we currently have several applications that are AD SSO so the user has to be on a PC that is joined to local AD.
Eventually, I’d like to get us off local AD and 100% on Azure but I dont know when that will happen.
About $10/license per year. Licensed by number of endpoints, in a 25-pack ($250/year for 25 licenses). It’s worth it just in the labour time saved messing with vpn configs. You make the change on the server, and it’s pushed out to all the clients within 180 seconds.
Also gives you ZTNA and Software Vulnerability scan — (“pc has Acrobat vX.XX vulnerable to CVE 23-yyy). You can then use that info in a firewall policy.
Base also includes App Control and IPS on the client, enabled either full time (don’t need deep packet inspection that way), or only when “off-net” (laptop at Starbucks / home and not on vpn).
Oh nice. That’s pretty cheap then. Is the server usually local or hosted or what? I would probably opt for a hosted appliance if possible as I have too many local things right now.
For double that price, you also get cloud sandbox, and web & dns filtering on the workstation for off-net use (no malicious website, even when not behind the Fortigate)
For SAML vs LDAP, are you talking about at the point of the FortiGate where it’s referencing user objects synced from Active Directory and then used by the VPN client to authenticate users based on their AD credentials? If so, I will look into using SAML. Although, I’m not seeing that specific method mentioned here on the FortiGate knowledgebase
To your second point, we are using Windows 10 Enterprise computers right now (we have E3 licensing) and we do need an always-on VPN tunnel for stuff like mapped drives and open files to the local file server, etc. No SCCM.
I would love to do things differently but we are currently still in a state of coming out of a fully on-prem setup. We have moved to AAD with M365, hosted Exchange, etc… there’s just several lingering things and people wanting things certain ways that prohibit me from doing things better like you suggest… unless I’m not fully realizing the possibility to do things that way anyway?
Wow that is some scary stuff. I’ve always argued that always on, certificate based VPN is a bad idea but this article really explains how bad it really is.
I’ll be passing this link around with the guys I work with.