• Matt Sherif

SSL VPN Host Check for Registry Key

VPN, dial in, or whatever you want to call it. Since before the internet has been around, remote access to company networks has been around. Sure, over the years it has evolved, I remember (I'm probably dating myself here) when remote access was done over a dial up connection, where you would dial into a specific number for your company and your computer would do the modem squawking and you'd be in.


Nowadays all you do is point a client or your browser to a web address and authenticate - poof! you're in. A challenge that most organizations find today is controlling which computers (company owned) are allowed to connect, and which they want to keep out - like personal computers.


FortiGate has the ability to check against certain criteria that you can define and determine whether or not a computer is allowed to connect.


Assumptions:


  • In this article this is being done on 6.4.2 documentation suggests that this is possible as far back as 5.6, maybe even earlier. I know it's an option in 6.0.x and up.

  • I will be performing the check based on a registry key - specifically the joined domain located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

  • I used FortiClient with EMS - the Security Fabric agent, this does not appear to work with FortiClient VPN (The free client) - even on a domain joined computer it errors out. After upgrading to the EMS client, it seems to connect fine.


With that out of the way, lets get to it!


Confiuring the host check rule is pretty straight forward, you start with creating an item to check against:



config vpn ssl web host-check-software
    edit "check.for.domain"
        config check-item-list
            edit 1
                set type registry
                set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Domain:ultraviolet.local"
            next
        end
    next
end

Note that both HKLM and HKEY_LOCAL_MACHINE will work


Now we need to associate the host checker to the appropriate VPN portal - in this case I only want domain joined computers to have tunnel or full access:


config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "check.for.domain"
    next
end

Now we test!


For this scenario I will be attempting to log into the VPN using a non-domain joined computer. It would be preferred if I was denied access to tunnel mode, but allowed access to web mode.


Tunnel mode access test:


Web mode access test:


And that's it! I hope this has been helpful.



427 views

Recent Posts

See All