Pre-logon VPN
Pre-logon VPNs are typically useful to onboard remote users who have never logged in to their Windows machines, where the user’s Windows machines are domain-joined to their organizational Active Directory (AD) environment.
Initial user login to domain-joined Windows machines using user AD credentials requires real-time connectivity to the AD server. You can provide connectivity to the AD server via VPN. Using pre-logon VPN, upon bootup, Windows machines can self-authenticate and connect to a VPN gateway using their machine certificates. Once Windows machines connect over VPN, they can access the AD server. Users can then log in to the Windows machine using their AD credentials. After login to the Windows machine, the pre-logon VPN connection disconnects. Users then can connect to FortiSASE secure internet access (SIA) automatically or manually depending on FortiSASE configuration. For subsequent user logins to Windows machines, users can then use their locally cached Windows AD credentials.
For pre-logon VPN to work, it is assumed that Windows administrators have already prestaged the domain-joined Windows machines with a preconfigured FortiClient installer with the proper supported FortiClient version, along with machine certificates before shipping devices to users.
|
Pre-logon VPN is available in FortiClient 7.2.0 and later for FortiSASE instances enabled with IPsec or SSL VPN remote user support. This feature is exclusive to Windows endpoints. By default, the option to configure pre-logon VPN is visible for both existing and new FortiSASE instances enabled with IPsec VPN remote user support. See IPsec VPN remote user support. However, for existing FortiSASE instances enabled with SSL VPN remote user support, the option is hidden by default. To enable its visibility on FortiSASE, submit a ticket through FortiCare Support. |
To configure pre-logon VPN on FortiSASE:
- Go to Configuration > Profiles. Select the respective profile and click Edit.
- On the Connection tab, configure one of the following:
Endpoint connects to FortiSASE VPN setting
FortiClient behavior after the user logs in to Windows
Manually
- Disconnects from pre-logon VPN gateway. The user can manually log in to the desired VPN connection from the configured list of VPNs shown under VPNs available to users.
Automatically
- Disconnects from pre-logon VPN gateway and uses VPN autoconnect to connect to FortiSASE SIA automatically. Switching the setting to Automatically will delete any prior configured custom VPNs show under the option VPNs available to users.
- Enable toggle Authenticate endpoint before user logon to see pre-logon VPN configuration options.
- Select the Pre-logon VPN type from either SSL VPN or IPsec VPN.
- Enter desired FQDN or IP address for Remote gateway.
- The Port option allows configuring custom SSL VPN port number for VPN gateway (The option is thus available only if pre-logon VPN type is set as SSL VPN). Default port is 443.
- The Endpoint machine certificate configuration consists of Common name and Issuer field, used by FortiClient to select proper machine certificate to authenticate itself to VPN gateway. Common name and Issuer field have a logical AND operation.
- Enter Common name, and Issuer using either Any, Plain text or Regex option such that FortiClient is able to select correct Windows machine certificates to authenticate itself to VPN gateway.
- Click OK.
You can configure the FortiGate as a VPN gateway for SSL or IPsec VPN to perform certificate-based authentication. See SSL VPN with certificate authentication and Dialup IPsec with certificate authentication.
Default settings for pre-logon IPsec VPN
If configuring a new pre-logon VPN on a FortiSASE instance running 25.2.24, using IPsec VPN for Pre-logon VPN type, FortiSASE configures the following IPsec VPN settings on FortiClient endpoint belonging to corresponding endpoint profile. This applies to FortiSASE instances running 25.2.a and later versions:
|
VPN Settings |
|
|
IKE version |
Version 2 |
|
Mode Config |
Enabled |
|
Phase 1 |
|
|
IKE proposal |
Encryption: AES128, Authentication: SHA256 Encryption: AES256, Authentication: SHA256 |
|
DH Group |
15 |
|
Key Life |
86400 seconds |
|
Dead Peer Detection |
Enabled |
|
NAT Traversal |
Enabled |
|
Phase 2 |
|
|
IKE proposal |
Encryption: AES128, Authentication: SHA256 Encryption: AES256, Authentication: SHA256 |
|
Key Life |
43200 seconds |
|
Replay Detection |
Enabled |
|
Perfect Forward Secrecy (PFS) |
Enabled |
|
DH Group |
15 |
Thus, ensure to match the default IPsec VPN settings with the remote VPN gateway’s configuration to establish the VPN tunnel between FortiClient and remote VPN gateway.
Legacy settings for pre-logon IPsec VPN
If pre-logon VPN was configured on FortiSASE 25.1.c or earlier, FortiSASE retains the legacy IPsec VPN settings unless one of the following actions occur, after which FortiSASE configures the following IPsec VPN settings using the default IPsec configuration as Default settings for pre-logon IPsec VPN describes on FortiClient endpoints belonging to corresponding endpoint profile:
- Removing existing pre-logon VPN configuration by disabling Authenticate endpoint before user logon and saving, then reconfiguring pre-logon VPN
- Changing Pre-logon VPN type originally configured as SSL VPN to IPsec VPN.
- Configuring pre-logon VPN using Pre-logon VPN type as IPsec VPN for the first time
|
VPN Settings |
|
|
IKE version |
Version 1 |
|
Mode |
Aggressive |
|
Mode Config |
Enabled |
|
Phase 1 |
|
|
IKE proposal |
Encryption: AES128, Authentication: SHA256 Encryption: AES256, Authentication: SHA256 |
|
DH Group |
5 |
|
Key Life |
86400 seconds |
|
Dead Peer Detection |
Enabled |
|
NAT Traversal |
Enabled |
|
Phase 2 |
|
|
IKE proposal |
Encryption: AES128, Authentication: SHA1 Encryption: AES256, Authentication: SHA1 |
|
Key Life |
43200 seconds |
|
Replay Detection |
Enabled |
|
Perfect Forward Secrecy (PFS) |
Enabled |
|
DH Group |
5 |
To upgrade the legacy IPsec VPN settings that FortiClient uses without removing the existing pre-logon VPN, contact Fortinet Support to request a change through a new technical support ticket.