MFA: It introduces a level of multi-factor authentication that’s transparent to the user. How do you do it? Well… that’s the “future post” I’ve alluded to above - all being well 🙂īack to certs and SSL-VPN in FortiClient… the inclusion of certificates in the user authentication process brings with it some advantages: The reality, as I’ve experienced this week during testing, is that this isn’t as straightforward as you would hope when it comes to Azure. One of the key advantages of Always On is it’s support for non-Microsoft IKEv2 / SSTP / L2TP compatible VPN appliances - which can (again, in theory) mitigate some of the challenges associated with the aforementioned Azure limitations. The ideal world for me is the integration of Microsoft Always On VPN with a supported third-party appliance in Azure given the (theoretical) ability to do just that.
A question I’ve been exploring is “how can we make these better / slicker / more secure?”. One thing I haven’t ever explored though is the use of certificates as part of the authentication process - deferring instead to the more traditional approach of using RADIUS for Active Directory integration, or third-party MFA support where there’s more than a passing requirement.Ĭlient VPN’s seems to have had a bit of a resurgence for a number of the organisations I work with in recent months, but given our Azure focus and the limitations associated with native Microsoft options in the cloud (lack of RRAS support, administrative complexity of P2S VPN’s etc.) we’ve found ourselves exploring and building solutions based on more traditional appliance based VPN solutions in Azure - Fortinet, Cisco, Palo Alto etc. It’s not quite the post I had planned, but since I’ve not quite achieved what I set out to (yet, more on that in a future post) and this was a useful by-product along the way, it seemed silly to waste the opportunity of writing up some findings that will hopefully prove useful to someone down the line…įortinet’s FortiClient based SSL-VPN implementation is one of the best and simplest out there and has been a fairly staple feature on pretty much every FortiGate I’ve deployed since 2009 or so. This is a slightly left-field post on the back of some testing / tinkering I’ve been involved in over the last week or so.
0 kommentar(er)
