Description
How to use FSAE in a VPN environment (IPSec, SSL-VPN) ?
Scope
IPSec, SSL-VPN, AD, FSAE, Active Directory, authentication, Identity based policies
Solution
FSAE is not supported in a VPN environment. This is primarily a LAN solution due to the following requirements or behavior :
1. It requires users to log to a domain before they can access any network resources
2. The current workstation's IP must be registered in the Active Directory, the DNS, and resolvable from the Collector Agent (CA).
3. The workstation must be accessible from Collector Agent(s) IP(s) on ports TCP/139 and TCP/445
4. By default every 5 minutes the Collector Agent should be able to connect to Remote Registry service on each workstation and verify that user is still logged in,
Most of these requirements are not achievable when connecting from a VPN tunnel. As a result, the VPN users are recognized as guests and may get incorrect access permissions.
A workaround possible is to create a separate firewall policy for VPN users without FSAE authentication or use alternative means such as LDAP/RADIUS authentication.
Exception with FortiClient :
You may use FSAE together with FortiClient configured to establish an IPSec tunnel before user login. In this case the workstation must member the domain and the user must login to this domain and not to the local station. You will also need to allow DHCP over IPSec or assign particular IP for each VPN client and register this IP in the DNS for proper name resolution.
