our company is using ssl vpn for all our remote workers since covid. Since we bought FortiClient ems recently I am looking for optimizing our vpn setup (or should I go for ZTNA?)
I do have:
Windows environment, everything on prem (except for O365), classic file-server mapped as network drives, ActiveDirectory with GPOs, …
Using radius server with certificates to automatically authenticate for FortiAP in our office building.
FortiGate 120G, FortiClient EMS with enough licenses for all of our clients.
Our current setup is ssl vpn, local fortigate users with LDAP authentication and additional two-factor mail code to private mail adress.
I did test the ssl vpn with a SSO setup via Microsoft Entra as a IdentityProvider. Works good and makes use of the second factor from microsoft.
But I do not know if it is better to go for ipsec and use SSL VPN as a fallback?
I am searching for a kind of setup that allows me to connect via VPN before a user has to log in on their computer…
While at the end of the day we always adhere to exactly what our customer’s want, we advise all existing clients to migrate off SSL-VPN, and at bare minimum Dial-Up VPN. However, we always offer this solution (provided below) to our existing when migrating and the first option new customer:
Products:
FortiAuthenticator - for computer login authentication
FortiEMS and FortiClient - ZTNA
Workflow:
At the endpoint login screen:
Endpoint connects to network via known WiFi or hardwire.
Before user logs in, FortiClient establishes ZTNA connection.
User attempts to log into client device.
(one of two workflows)
Method 1:
Using the ZNTA connection, authentication request is sent to the FortiAuthenticator.
FortiAuthenticator responds and sends notification to FortiAuthenticator application on client’s phone.
User accepts and logs into device.
Method 2:
Using the ZNTA connection, authentication request is sent to the FortiAuthenticator.
Using their hard token, client inputs the OTP.
If the user is unable to connect to a known WiFi, and the device has been configured in manner that will not allow them to select a WiFi prior to local / device authentication, then the user has the option of manually entering the OTP from the FortiAuthenticatior application, or hard token.
With all what you’re saying - ZTNA would be more handy for end-user. From the backend side it still gives me more things to troubleshoot than VPN from time to time. ZTNA got much better comparing 2years ago, I must admit that.
As for ipsec vs sslvpn. Mostly your own preference and what you’ve used to. For me SSLVPN is still more convenient to work with, however Fortinet pushes towards switching to IPSEC.
If you stay with sslvpn - stay alert the latest vulnerability reports. There were a number of critical CVEs during past few years.
Note: If the device has not connected back to the network / FortiAuthenticator server after X amount of days, then the offline OTP will not be applicable.
The problem with IPSec is it’s blocked on many networks. Making it difficult option for client vpn. Fortinet should be offering Wireguard and OverlayVPNs with wireguard as a replacement option.
Thanks in advance!