Fortinet black logo

Deploying secured remote APs for the Teleworker

7.0.0
Copy Link
Copy Doc ID 36f99124-ab08-11ec-9fd1-fa163e15d75b:792038
Download PDF

Deploying secured remote APs for the Teleworker

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

This section guides you through the process of deploying remote FortiAPs to work with FortiGates:

  1. Configuring FortiGate before deploying remote APs
  2. Configuring FortiAPs to connect to FortiGate
  3. Final FortiGate configuration tasks

Configuration prerequisites
  • Ensure that your FortiGate has an existing wireless SSID configured in tunnel mode.
  • For the best security practices, set up WPA2/Enterprise for SSIDs used by remote clients. You can use RADIUS Server for PEAP Authentication using MS-CHAPv2 and install a trusted Root CA certificate on all devices that connect to the secure SSIDs.

    Note

    For more security, you can use Client Certificates instead of MS-CHAPv2. For more information, refer to the FortiAuthenticator Cookbook.

  • If you plan on deploying the FortiAP from FortiLAN Cloud, ensure you have a Fortinet Support Account at https://support.fortinet.com.
  • Ensure the internet bandwidth at the site where the FortiGate is located can handle the extra load needed for the remote APs.
  • Determine if you want to tunnel all traffic from the remote wireless client to the FortiGate or just a select subset of the internal or corporate networks (Split Tunneling).

    Note

    If you are only tunneling a subset of your internal or corporate networks, a security client such as FortiClient with URL Filtering and Anti-malware (or another security product) should be used to protect the remote client from becoming compromised and used to access corporate resources.

  • Determine how remote sites will provide IP address to the remote AP once it's deployed.
Reference guides

You can refer to the following guides for either using FortiAuthenticator (FAC) or Microsoft NPS Server as a RADIUS server:

Deploying secured remote APs for the Teleworker

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

This section guides you through the process of deploying remote FortiAPs to work with FortiGates:

  1. Configuring FortiGate before deploying remote APs
  2. Configuring FortiAPs to connect to FortiGate
  3. Final FortiGate configuration tasks

Configuration prerequisites
  • Ensure that your FortiGate has an existing wireless SSID configured in tunnel mode.
  • For the best security practices, set up WPA2/Enterprise for SSIDs used by remote clients. You can use RADIUS Server for PEAP Authentication using MS-CHAPv2 and install a trusted Root CA certificate on all devices that connect to the secure SSIDs.

    Note

    For more security, you can use Client Certificates instead of MS-CHAPv2. For more information, refer to the FortiAuthenticator Cookbook.

  • If you plan on deploying the FortiAP from FortiLAN Cloud, ensure you have a Fortinet Support Account at https://support.fortinet.com.
  • Ensure the internet bandwidth at the site where the FortiGate is located can handle the extra load needed for the remote APs.
  • Determine if you want to tunnel all traffic from the remote wireless client to the FortiGate or just a select subset of the internal or corporate networks (Split Tunneling).

    Note

    If you are only tunneling a subset of your internal or corporate networks, a security client such as FortiClient with URL Filtering and Anti-malware (or another security product) should be used to protect the remote client from becoming compromised and used to access corporate resources.

  • Determine how remote sites will provide IP address to the remote AP once it's deployed.
Reference guides

You can refer to the following guides for either using FortiAuthenticator (FAC) or Microsoft NPS Server as a RADIUS server: