Appendix F - SSL VPN prelogon
SSL VPN prelogon allows tunnel establishment at startup time before users log on to the computer. This may be desirable in situations where remote terminals require access to the VPN hub before login regardless of the users who log in to the computer.
Because the SSL VPN tunnel must establish without user authentication, the authentication method cannot be based on username and password or on a user certificate.
Instead, this solution uses a machine certificate that a trusted certificate authority (CA) issued to allow the trusted computer to connect.
This guide details the settings required to configure SSL VPN prelogon functionality in a Windows environment where a Windows client establishes an SSL VPN tunnel with a FortiGate using a computer certificate that a Windows Active Directory (AD) issued.
SSL VPN prelogon requires the following:
- The endpoint computer is registered to the Windows domain.
- A computer certificate that the Windows AD issued is installed on the endpoint’s local machine certificate store.
- The certificate is issued to the machine name. The name appearing in the SAN field is a UPN or DNS name value matching the computer name in the AD.
- CA certificate of the root CA is installed on the FortiGate’s certificate store.
- FortiClient is installed and registered with EMS to retrieve the SSL VPN tunnel configurations.
The authentication flow is as follows:
- Upon startup, FortiClient connects to the VPN gateway using its computer certificate for authentication.
- FortiGate inspects the certificate expiry date, issuer CA, and SAN field.
- The FortiGate does a LDAP lookup on the Windows AD to determine if the UPN or DNS name in the SAN field of the certificate matches any computer in the domain. The match may be performed on the computer Name or UserPrincipalName.
- Optionally, FortiGate further verifies that the FortiGate user group allows the computer memberOf attribute.