With our equipment and configuration:
- FortiGate 100E with UTM license
- SSL VPN with Azure SAML
- FortiClient VPN free.
I want to restrict internet access when users use their laptops outside the company network. If they want to access, they are required to use the VPN connection provided by the company.
Is there any way help me to do this?
Thanks.
You want the always-on vpn but that is only available in the paid client.
Paid FortiClient+EMS could potentially be set up to apply different FortiClient profiles when off-net (not on VPN, not on office) and on net (VPN/office).
off-net could block majority of web-traffic except the minimum requirements to connect to VPN (DNS server(s), FortiGate itself, any Microsoft/Azure destinations needed for completing SAML auth, etc.) with something like the webfilter, and on-net can switch to an unfiltered profile (relying on full-tunnel traffic going through FortiGate, being filtered there).
I am not sure what exactly you want…but:
If I understand correctly, you want your user to NOT use split tunnel - meaning that not only the part for your company goes through (SSL) VPN, but everything basically. That would - on first sight - mean to disable split tunneling.
However, I might misunderstand…
Edit:That does not necessarily stop them using your devices for internet access (eg. when SSL VPN is down and they go “vanilla”) - I guess you would need other (technical) means to do that and it heavily depends on your setup and does not necessarily depend on Fortinet/Fortigate/FortiClient solutions.
Edit2:
Now that you rephrased your question, let me edit as well…
What you are basically saying is, that the device your users are working with, should always go via your companys network for internet access (and basically everything else as well, network/traffic wise).
Now this is - as far as I know - not only a fortinet thing. You need total control of your devices (so BYOD might be a challenge) and make sure you have some sort of “always-on” SSL VPN (those usually can be configured to be off when inside the company network and always on when outside using the underlay of WAN connection). In my opinion its a multi tier issue that involves the device itself (and its management) as well as the VPN solution - unfortunately I have no experience with those.
You might be able to do this by forcing the devices dns server to be one that can only be accessed on the corporate network. They will have to connect the vpn to access dns and therefore the internet. For this to work you will need to setup your forticlient to connect via ip and not domain or the vpn wont be able to connect. You will also need to ensure that the dns cache period is not set to a long amount of time.
Please rephrase your question. It doesn’t make sense.
You have to ask yourself why do you want to do this. I think your solution might be managed FortiClient with ZTNA license. You can force web profiles/rules to work on the endpoint (similar to fortigate profiles/rules) while using it’s own internet connection. And of course you can use other ZTNA stuff like proxying to your internal apps, tagging, etc.
Brutal option would be to force a false default gateway on your client computers and only add static persistent routes for your SSLVPN gateway addresses. That plus a hosts file with only the sslvpn dns addresses in it should do the trick……
I’ll admit I’m being a bit flippant here but the point is your request will need to be an endpoint config rather than just an sslvpn config.
Not with FortiClient VPN Free. You’re asking for advanced features and you need advanced licensing.
You can consider AOVPN native built-in, but that’s gonna be IPSEC then. And also you should then probably enroll certificates for auth. Not as easy, but free.
What if I want to do the opposite. Meaning remove the application without losing the wifi. The only reason I need to do this is because for some reason the wifi I bought came with it and I don’t have enough to get a new wifi and when I tried to call and get it fixed they told me that my warranty had expired and when I explained the issue they said they had no idea. Any help is accepted. I would like to know sooner rather than later. It is preventing me from using my wifi properly. (P.S. Don’t get Comcast, EVER)
It is ok. If EU dont make VPN connection, they cannot access internet.
Thanks for your reply.
We dont want EU to be able to bring laptop home, connect to Wifi at home and able to bypass the VPN access and connect directly to the internet. It may get infected during this connection. Then they plug the laptop back to company network and infect it.
Can Explicit Proxy resolve my needs?
Rephrased already.
Thanks.
We are looking for a way to resolve with cost savings. Can Explicit Proxy resolve my needs?
I’m no expert on EMS but I believe you need the paid FortiClient version in combination with an EMS server. Furthermore you need to control the devices so users cannot change system settings.
Afaik that’s the only safe option. Whatever else you try with explicit proxy can most likely be bypassed.
So I gather its company distributed devices - so that means you need to make sure that they can’t be (easily) tampered with and “lock them down” (and use some sort of Endpoint Protection anyways) - and then have something like “always on” VPN without split tunnel - which makes sure that they always are surfing via your company (for all traffic).
That is not only a fortinet thing, but fortinet products should help you with the vpn things - however, I am not sure of the free edition can do all that (you likely might need FortiEMS, etc.). But again, I don’t have much experience with this.
Can Explicit Proxy resolve my needs?
Probably not. Furthermore, you would need to expose your proxy ports to the outside world, which isn’t a good idea. Remember, the explicit proxy is generally positioned on your LAN for internal traffic going outside. In your case you would need to permit anyone (internet) to connect to your proxy. Sure, some kind of authentication would be required, but you’re exposing yourself to potential risks.
EMS + Always-On VPN does exactly what you want. As does EMS + ZTNA.
I am not sure how else I can explain the options you have.
First you need to make sure that the device is yours and yours only (eg. users can’t make any system settings alternations).
After that there are several “poor man” solutions that MIGHT work (or not work).
To set an explicit proxy (which needs to be in your cooperate network) doesn’t solve the issue in my opinion…there might be still actions a user might be able to make to circumvent an explicit proxy and surf directly.