Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Disable the clipboard for Agentless VPN RDP connections

    Disable the clipboard for Agentless VPN RDP connections

    In Agentless VPN portals, the clipboard can be disabled for RDP/VNC connections, and the user will be unable to copy and paste content to or from the internal server.

    Example

    In this example, two groups of users are using Agentless VPN to access internal servers with RDP/VNC. One group is allowed to copy and paste content to and from the internal server using the clipboard, while the other is not.

    To configure Agentless VPN portals in the GUI:

    1. Go to VPN > Agentless VPN Portals and click Create New.

    2. Enter a name for the portal, such as testportal1.

    3. Enable RDP/VNC clipboard to allow copying and pasting.

    4. Configure the remaining settings as needed.

    5. Click OK.

    6. Click Create New again.

    7. Enter a name for the portal, such as testportal2.

    8. Disable RDP/VNC clipboard to prevent copying and pasting.

    9. Configure the remaining settings as needed.

    10. Click OK.

    11. Click Create New again, and enter Name as portal-access-disabled.

    12. Disable Agentless VPN on the portal using CLI.

      config vpn ssl web portal
    edit "portal-access-disabled"
        set web-mode disable
    next
end
    To configure the Agentless VPN settings in the GUI:

    1. Go to VPN > Agentless VPN Settings.

    2. Set Agentless VPN status to Enable.

    3. Set Listen on Interface to port2.

    4. In the Authentication/Portal Mapping table, add the users to each of the portals:

      1. Click Create New.

      2. Set Users/Groups to u1 and Portal to testportal1.

      3. Click OK, then click Create New again.

      4. Set Users/Groups to u2 and Portal to testportal2.

      5. Click OK.

      6. Set all Other User/Groups to portal-access-disabled.

    5. Configure the remaining settings as needed.

    6. Click Apply.

    To configure a firewall policy for Agentless VPN in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set a name for the policy, such as policy_to_agentlessvpn.

    3. Set Incoming Interface to the Agentless VPN tunnel interface (ss.root) and Outgoing Interface to port1.

    4. Set Source to all and Users/groups to u1 and u2.

    5. Set Destination to all addresses.

    6. Set Schedule to always, Service to All, and Action to Accept.

    7. Configure the remaining settings as needed.

    8. Click OK.

    To test the if the users can use the clipboard:

    1. On the PC, open a web browser and log in to the web portal as user u1.

    2. Access the internal server using RDP/VNC.

    3. The clipboard is available and you can copy and paste content to and from the remote server.

    4. Log out of the web portal, then log back in as user u2 and access the internal server using RDP/VNC.

      The clipboard is disabled.

    To configure the Agentless VPN portals and settings in the CLI:

    1. Configure the Agentless VPN portals:

      config vpn ssl web portal
    edit "testportal1"
        set web-mode enable
        set clipboard enable
        ...
    next
    edit "testportal2"
        set web-mode enable
        set clipboard disable
        ...
    next
end

    2. Configure the Agentless VPN settings:

      config vpn ssl settings
    set banned-cipher SHA1 SHA256 SHA384
    set servercert "Server_Certificate "
    set login-attempt-limit 0
    set port 1443
    set source-interface "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "portal-access-disabled"
    config authentication-rule
        edit 1
            set users "u1"
            set portal "testportal1"
        next
        edit 2
            set users "u2"
            set portal "testportal2"
        next
    end
end

    3. Configure a firewall policy for Agentless VPN:

      config firewall policy
    edit 1
        set name "policy_to_Agentless_VPN"
        set srcintf "ssl.root"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"        
        set schedule "always"
        set service "ALL"
        set nat enable
        set users "u1" "u2"
    next
end

    4. On the PC, open a web browser, log in to the web portal as user u1, access the internal server using RDP/VNC, and use the clipboard.

    5. Check the Agentless VPN session monitor using FortiOS CLI:

      # get vpn ssl monitor
Agentless VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u1             1(1)             N/A     10.1.100.146   0/0     0/364   0

Agentless VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP

    6. On the PC, open a web browser, log in to the web portal as user u2, access the internal server using RDP/VNC, and note that the clipboard is not available.

    7. Check the Agentless VPN session monitor:

      # get vpn ssl monitor
Agentless VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u2             1(1)             N/A     10.1.100.146   0/0     0/2681  0

Agentless VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    Previous
    Next

    Disable the clipboard for Agentless VPN RDP connections

    Disable the clipboard for Agentless VPN RDP connections

    In Agentless VPN portals, the clipboard can be disabled for RDP/VNC connections, and the user will be unable to copy and paste content to or from the internal server.

    Example

    In this example, two groups of users are using Agentless VPN to access internal servers with RDP/VNC. One group is allowed to copy and paste content to and from the internal server using the clipboard, while the other is not.

    To configure Agentless VPN portals in the GUI:

    1. Go to VPN > Agentless VPN Portals and click Create New.

    2. Enter a name for the portal, such as testportal1.

    3. Enable RDP/VNC clipboard to allow copying and pasting.

    4. Configure the remaining settings as needed.

    5. Click OK.

    6. Click Create New again.

    7. Enter a name for the portal, such as testportal2.

    8. Disable RDP/VNC clipboard to prevent copying and pasting.

    9. Configure the remaining settings as needed.

    10. Click OK.

    11. Click Create New again, and enter Name as portal-access-disabled.

    12. Disable Agentless VPN on the portal using CLI.

      config vpn ssl web portal
    edit "portal-access-disabled"
        set web-mode disable
    next
end
    To configure the Agentless VPN settings in the GUI:

    1. Go to VPN > Agentless VPN Settings.

    2. Set Agentless VPN status to Enable.

    3. Set Listen on Interface to port2.

    4. In the Authentication/Portal Mapping table, add the users to each of the portals:

      1. Click Create New.

      2. Set Users/Groups to u1 and Portal to testportal1.

      3. Click OK, then click Create New again.

      4. Set Users/Groups to u2 and Portal to testportal2.

      5. Click OK.

      6. Set all Other User/Groups to portal-access-disabled.

    5. Configure the remaining settings as needed.

    6. Click Apply.

    To configure a firewall policy for Agentless VPN in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set a name for the policy, such as policy_to_agentlessvpn.

    3. Set Incoming Interface to the Agentless VPN tunnel interface (ss.root) and Outgoing Interface to port1.

    4. Set Source to all and Users/groups to u1 and u2.

    5. Set Destination to all addresses.

    6. Set Schedule to always, Service to All, and Action to Accept.

    7. Configure the remaining settings as needed.

    8. Click OK.

    To test the if the users can use the clipboard:

    1. On the PC, open a web browser and log in to the web portal as user u1.

    2. Access the internal server using RDP/VNC.

    3. The clipboard is available and you can copy and paste content to and from the remote server.

    4. Log out of the web portal, then log back in as user u2 and access the internal server using RDP/VNC.

      The clipboard is disabled.

    To configure the Agentless VPN portals and settings in the CLI:

    1. Configure the Agentless VPN portals:

      config vpn ssl web portal
    edit "testportal1"
        set web-mode enable
        set clipboard enable
        ...
    next
    edit "testportal2"
        set web-mode enable
        set clipboard disable
        ...
    next
end

    2. Configure the Agentless VPN settings:

      config vpn ssl settings
    set banned-cipher SHA1 SHA256 SHA384
    set servercert "Server_Certificate "
    set login-attempt-limit 0
    set port 1443
    set source-interface "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "portal-access-disabled"
    config authentication-rule
        edit 1
            set users "u1"
            set portal "testportal1"
        next
        edit 2
            set users "u2"
            set portal "testportal2"
        next
    end
end

    3. Configure a firewall policy for Agentless VPN:

      config firewall policy
    edit 1
        set name "policy_to_Agentless_VPN"
        set srcintf "ssl.root"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"        
        set schedule "always"
        set service "ALL"
        set nat enable
        set users "u1" "u2"
    next
end

    4. On the PC, open a web browser, log in to the web portal as user u1, access the internal server using RDP/VNC, and use the clipboard.

    5. Check the Agentless VPN session monitor using FortiOS CLI:

      # get vpn ssl monitor
Agentless VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u1             1(1)             N/A     10.1.100.146   0/0     0/364   0

Agentless VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP

    6. On the PC, open a web browser, log in to the web portal as user u2, access the internal server using RDP/VNC, and note that the clipboard is not available.

    7. Check the Agentless VPN session monitor:

      # get vpn ssl monitor
Agentless VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u2             1(1)             N/A     10.1.100.146   0/0     0/2681  0

Agentless VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    Previous
    Next