• Matt Sherif

Secure remote desktop without poking holes in your firewall

You’ve just signed off on that big project with Company X, they’re going to implement the new Flux Capacitor you just bought. Even better, they’ll do it all remotely. You set up a virtual desktop for them to work from, and now you have to provide access. You face 2 classic decisions:

  • Do you provide limited VPN access and then go through the trouble of setting up temporary rules, and then having to remember to come clean that up? Top it off, the user has to authenticate both to the VPN and the virtual desktop?

  • Do you poke a hole in your firewall to that virtual desktop?



Both of the above are viable, when faced with the decision I would choose the first one as it’s more secure, but I also understand it may be challenging to ensure policies are configured correctly to avoid any disruptions you might cause as a result of the new rules – this is why you test in a lab. The big point of this post, especially if you have FortiGates, is that you can avoid all of that additional work by setting up an SSL-VPN portal. We’ll cover setting up an RDP bookmark with single sign on in this post. Single Sign on allows the user to log in once, and those credentials be used with any of the bookmarks that require authentication.


Assumptions:


  • SSL VPN Settings have already been configured

  • An LDAP/Active Directory Server has been configured


Configuring the SSL-VPN Portal:


Being that this is for a consultant, there are going to be certain settings you likely do not wish to provide them, that you would typically provide your regular end users. Navigate to VPN > SSL-VPN Portals and perform the following:


  • Click ‘New’ to create a new portal

  • For this example we’ll call the portal Company X

  • Limit Users to One SSL-VPN Connection at a Time: Enabled

  • Tunnel Mode: Disabled

  • Web Mode: Enabled

  • Portal Message: Your message goes here

  • User Bookmarks: Disabled – you don’t want them being able to add their own





  • Predefined Bookmarks – this is where we’ll create the RDP broker for them to access the virtual desktop

  • Click ‘Create New’

  • Name – ‘Company X Virtual Desktop’

  • Type – RDP

  • Host – the IP or Hostname of the Virtual Desktop

  • Port – 3389 is common, change this if yours differs

  • Single Sign-On: SSL-VPN Login

  • Security: Choose the setting appropriate for your environment, in this example we’ll be using Network Level Authentication






Create Group for Portal Assignment:


You could assign the portal directly to the user who will be logging in, but if there will be multiple users, it’s easier to assign a group. To Create a Group:

Navigate To User & Device > User Groups

  • Click ‘Create New’

  • Name: Company X

  • Type: Firewall

  • Under Remote Groups - Click ‘Add’

  • Remote Server: The LDAP server you will be authenticating against

  • From the list of groups select the group you want to be a member of the firewall group – make sure you right click and click ‘add selected’

  • Click OK

  • Click OK to save the new user group


Don't forget to click 'Add Selected'


Assigning SSL-VPN portal access to the user group:


  • Navigate to VPN > SSL-VPN Settings:

  • Under Authentication/Portal Mapping click Create New

  • Users/Groups: ‘Company X Users’

  • Portal: Company X

  • Click OK

  • On the Main SSL-VPN Settings page click Apply




Testing Access:


We should be ready to test access. Browse to your SSL-VPN portal and login with a user who is a member of the Company X group we created earlier:




Thanks for reading, I hope this was helpful.