locked
Fortigate + NAP RRS feed

  • Question

  • Hi,

    i have fortigate 111C firewall and i have only 1 network behind it. On that firewall i have 3 remote locations. When i configure VPN on windows server, VPN user has access to all local and remote networks. What i would like to do is put windows VPN server inside some different subnet and from there control which VPN user (AD user) has access to which subnet. Now since i never worked with NAP can NAP control this? Fortigate will route traffic between subnets. I am just not sure how and with what i can control subnet access by username.

    Monday, April 15, 2013 7:53 AM

Answers

  • Hi opti2k4,


    Thanks for the question.


    However, as far as I know, we cannot control this on NAP side. And, we may have to setup ACL on your firewall based on source and destination to achieve this.


    NPS allows you to provide local and remote network access and to define and enforce policies for network access authentication, authorization.


    More information:


    Network Policy and Access Services

    http://technet.microsoft.com/en-us/network/bb545879.aspx


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    • Proposed as answer by Jeremy_Wu Thursday, April 18, 2013 7:00 AM
    • Marked as answer by Jeremy_Wu Tuesday, April 23, 2013 3:06 AM
    Tuesday, April 16, 2013 7:42 AM
  • Hi,

    Your premise above is correct. You can do this.

    However, to be clear - this is not NAP it is basic VPN configuration with a Windows Server. With NAP, you add an additional condition that evaluates the 'health' of the client and grant or restrict access based on the health status. You don't need to run the NAP agent on the client, or enable the VPN enforcement client to accomplish what you've described above.

    With respect to your DHCP question, I don't have a clear picture of your network design but essentially VPN clients will be able to access whatever the VPN server can access minus anything you filter out. If you use a different IP address pool for VPN clients, the default gateway will of course need to be on that subnet if you wish for them to be able to route outside the subnet.

    -Greg

    • Proposed as answer by Jeremy_Wu Thursday, April 18, 2013 7:00 AM
    • Marked as answer by Jeremy_Wu Tuesday, April 23, 2013 3:06 AM
    Wednesday, April 17, 2013 5:17 PM

All replies

  • Hi opti2k4,


    Thanks for the question.


    However, as far as I know, we cannot control this on NAP side. And, we may have to setup ACL on your firewall based on source and destination to achieve this.


    NPS allows you to provide local and remote network access and to define and enforce policies for network access authentication, authorization.


    More information:


    Network Policy and Access Services

    http://technet.microsoft.com/en-us/network/bb545879.aspx


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    • Proposed as answer by Jeremy_Wu Thursday, April 18, 2013 7:00 AM
    • Marked as answer by Jeremy_Wu Tuesday, April 23, 2013 3:06 AM
    Tuesday, April 16, 2013 7:42 AM
  • Thanks for the answer!

    In case i decide to ditch firtigate as VPN server and use only Windows 2008 R2 as VPN server (port forward) with NAP i could setup VPN like this

    1) define which AD groups can connect over VPN

    2) for each AD group i can define policy where i will specify input filter so that way i can deny VPN users access to some network

    Is this correct?

    If it is, then only thing missing is the DHCP scope for VPN clients. Let's say i am using 10.10.10.0/24 and for VPN clients i use 10.20.20.0/24. Do i need to configure virtual interface (gateway) 10.20.20.1 on firewall so i can route traffic between networks or VPN server will use that IP automatically as default gateway for  VPN clients?

    Tuesday, April 16, 2013 7:51 AM
  • Hi,

    Your premise above is correct. You can do this.

    However, to be clear - this is not NAP it is basic VPN configuration with a Windows Server. With NAP, you add an additional condition that evaluates the 'health' of the client and grant or restrict access based on the health status. You don't need to run the NAP agent on the client, or enable the VPN enforcement client to accomplish what you've described above.

    With respect to your DHCP question, I don't have a clear picture of your network design but essentially VPN clients will be able to access whatever the VPN server can access minus anything you filter out. If you use a different IP address pool for VPN clients, the default gateway will of course need to be on that subnet if you wish for them to be able to route outside the subnet.

    -Greg

    • Proposed as answer by Jeremy_Wu Thursday, April 18, 2013 7:00 AM
    • Marked as answer by Jeremy_Wu Tuesday, April 23, 2013 3:06 AM
    Wednesday, April 17, 2013 5:17 PM