You’ve just signed off on that big project with Company X, they’re going to implement the new Flux Capacitor you just bought. Even better, they’ll do it all remotely. You set up a virtual desktop for them to work from, and now you have to provide access. You face 2 classic decisions:
Do you provide limited VPN access and then go through the trouble of setting up temporary rules, and then having to remember to come clean that up? Top it off, the user has to authenticate both to the VPN and the virtual desktop?
Do you poke a hole in your firewall to that virtual desktop?
Both of the above are viable, when faced with the decision I would choose the first one as it’s more secure, but I also understand it may be challenging to ensure policies are configured correctly to avoid any disruptions you might cause as a result of the new rules – this is why you test in a lab. The big point of this post, especially if you have FortiGates, is that you can avoid all of that additional work by setting up an SSL-VPN portal. We’ll cover setting up an RDP bookmark with single sign on in this post. Single Sign on allows the user to log in once, and those credentials be used with any of the bookmarks that require authentication.
Assumptions:
SSL VPN Settings have already been configured
An LDAP/Active Directory Server has been configured
Configuring the SSL-VPN Portal:
Being that this is for a consultant, there are going to be certain settings you likely do not wish to provide them, that you would typically provide your regular end users. Navigate to VPN > SSL-VPN Portals and perform the following:
Click ‘New’ to create a new portal
For this example we’ll call the portal Company X
Limit Users to One SSL-VPN Connection at a Time: Enabled
Tunnel Mode: Disabled
Web Mode: Enabled
Portal Message: Your message goes here
User Bookmarks: Disabled – you don’t want them being able to add their own
Predefined Bookmarks – this is where we’ll create the RDP broker for them to access the virtual desktop
Click ‘Create New’
Name – ‘Company X Virtual Desktop’
Type – RDP
Host – the IP or Hostname of the Virtual Desktop
Port – 3389 is common, change this if yours differs
Single Sign-On: SSL-VPN Login
Security: Choose the setting appropriate for your environment, in this example we’ll be using Network Level Authentication
Create Group for Portal Assignment:
You could assign the portal directly to the user who will be logging in, but if there will be multiple users, it’s easier to assign a group. To Create a Group:
Navigate To User & Device > User Groups
Click ‘Create New’
Name: Company X
Type: Firewall
Under Remote Groups - Click ‘Add’
Remote Server: The LDAP server you will be authenticating against
From the list of groups select the group you want to be a member of the firewall group – make sure you right click and click ‘add selected’
Click OK
Click OK to save the new user group
Assigning SSL-VPN portal access to the user group:
Navigate to VPN > SSL-VPN Settings:
Under Authentication/Portal Mapping click Create New
Users/Groups: ‘Company X Users’
Portal: Company X
Click OK
On the Main SSL-VPN Settings page click Apply
Testing Access:
We should be ready to test access. Browse to your SSL-VPN portal and login with a user who is a member of the Company X group we created earlier:
Thanks for reading, I hope this was helpful.