SSL VPN Host Check for Registry Key

VPN, dial in, or whatever you want to call it. Since before the internet has been around, remote access to company networks has been around. Sure, over the years it has evolved, I remember (I'm probably dating myself here) when remote access was done over a dial up connection, where you would dial into a specific number for your company and your computer would do the modem squawking and you'd be in.

Nowadays all you do is point a client or your browser to a web address and authenticate - poof! you're in. A challenge that most organizations find today is controlling which computers (company owned) are allowed to connect, and which they want to keep out - like personal computers.

FortiGate has the ability to check against certain criteria that you can define and determine whether or not a computer is allowed to connect.

Assumptions:

With that out of the way, lets get to it!

Confiuring the host check rule is pretty straight forward, you start with creating an item to check against:

config vpn ssl web host-check-software
  edit "check.for.domain"
  config check-item-list
  edit 1
  set type registry
  set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Domain:ultraviolet.local"
  next
  end
  next
 end

Note that both HKLM and HKEY_LOCAL_MACHINE will work

Now we need to associate the host checker to the appropriate VPN portal - in this case I only want domain joined computers to have tunnel or full access:

config vpn ssl web portal
  edit "full-access"
  set host-check custom
  set host-check-policy "check.for.domain"
  next
 end

Now we test!

For this scenario I will be attempting to log into the VPN using a non-domain joined computer. It would be preferred if I was denied access to tunnel mode, but allowed access to web mode.

Tunnel mode access test:

Web mode access test:

And that's it! I hope this has been helpful.