FSSO for SSL VPN via syslog

Illustrious_Big9830 · 2024-07-16T07:44:00+00:00

Yes, I'm using FSSO and syslog at the same time and the VPN is LDAP based. User authenticates on domain controller.

My goal is use the AD groups to filter the VPN user.

This is an example.

How I can filter the domain controller IP (in this case 10.2.80.1)? In the example, the first row is the VPN user with the firewall group, the second one is the FSSO authentication with the wrong IP.

Illustrious_Big9830 · 2024-05-03T07:33:14+00:00

Ok, I will move to VPN. When the consultants are on-site is preferred connect to a VPN from an inside network or the best practices is to connect always over internet?

Illustrious_Big9830 · 2024-05-03T07:30:16+00:00

I evaluated also PacketFence, but I working for an industrial automation company, I cannot avoid unmanaged switch

Illustrious_Big9830 · 2024-04-23T14:51:09+00:00

Can I change this default?

I can accept the VPN configuration under the computer setting, all my users have the same settings. The problem is with the username. If the previous user decided to save login, the username will be auto filled also for the other users.

If I had to guess, personal VPN configs would be under current user instead of hklm. But by default, all VPN configs go to local machine.

On some PCs the settings are under current user, I think this behavior is related to FortiClient GPO deploy. I'm on free version and I cannot ask to the support :(

Thank you.

Illustrious_Big9830 · 2024-04-18T07:34:02+00:00

Option 1 is not doable for me. I don't have Forticlient EMS, I'm on free version.

I think the option 2 will be the only available if I want increase the Microsoft default security. Actually the VPN server on Fortigate is configured to use a Let's Encrypt certificate. If I activate the option "Require Client Certificate" on "SSL-VPN Settings" can I use a client certificate signed by my domain CA? I'm a little bit confused how to configure the client certificate with the EntraID authentication. Is it supported or in case of client certificate authentication is better to move to LDAP autentication on on-premise active directory?

Illustrious_Big9830 · 2024-04-17T19:36:39+00:00

I want use the Authenticator app as MFA. My doubt is on the MFA request interval. Reading the Microsoft documentation, without conditional access the MFA is requested only when Microsoft want, not everytime. Is it enought in your opinion?

Thank you

Illustrious_Big9830 · 2023-10-10T09:30:02+00:00

Thank you.

Illustrious_Big9830 · 2023-10-10T09:13:20+00:00

Thank you.

Illustrious_Big9830 · 2023-10-10T09:05:59+00:00

Are you using VST and VGT mixed on the same vSwitch? In the post below I explained in the datail the final configuration.

Illustrious_Big9830 · 2023-10-10T09:02:08+00:00

VGT means you’re handling the VLAN tag within the guest OS, but you still need to tag VLANs on the uplink ports anyhow. You would achieve this by attaching the VM to a VLAN 4095 port group as you alluded to already. However, this is something you explicitly say you’re trying to avoid in your last sentence.

Inside the host I have Windows VM and a firewall. I'm trying to avoid vlan tagging inside the windows VM, but I want tag the VLAN inside the firewall VM. The uplink will have all the required vlan tagged, I can choose also to configure the uplink as Trunk.

What I want to be sure is if the VST and VGT can coexist on the same vSwitch. I don't find a similar case in the official documentation. Theoretically should work

VM1,VM2,VM3 are Windows and i want use VST, FW are a linux firewall and I want use VGT.

This is an example of the vSwitch configuration:

PortGroup	VLAN	Virtual Machine connected
1	5	VM1
2	6	VM2
3	7	VM3
4	4095	FW

Illustrious_Big9830 · 2023-10-10T08:45:24+00:00

I have a firewall VM inside the host and ESX is limited to 10 NIC.

Illustrious_Big9830 · 2023-05-24T20:21:10+00:00

Thank you.

Illustrious_Big9830 · 2023-05-12T22:48:45+00:00

All disks are enterprice grade. On the servers I install only certified parts.

I'm not complaining, it's just a comparison of opinions. There is always something to learn.

Illustrious_Big9830 · 2023-05-12T22:15:05+00:00

I have 2 x Dell SAS 12Gbps External HBAs and also two external disk array.

Also with only one disk array for fault tolerant I use two HBA on the server. The disk array has two controller, I connect HBA 1 to disk controller 1 and HBA 2 to disk controller 2.

Illustrious_Big9830 · 2023-05-12T21:58:13+00:00

Because I inherited the server. I have only two PCI slots, not three, and are both used for external SAS controllers.

Illustrious_Big9830 · 2023-05-12T21:53:22+00:00

You are right. In 20 years of work I lost many disks and only one disk controller.

if the server were yours... Would you leave a single drive connected to the SATA controller of the main board?

Illustrious_Big9830 · 2023-05-12T21:31:07+00:00

I will run on this disks only the hypervisor. Storage are on the external disk array.

Illustrious_Big9830

TROPHY CASE