SSL VPN with EnraId business

Hello all,

I installed a couple of 100F and I’m testing the SSL VPN access. I’m experimenting the Entra ID authentication with MFA and it is working well. My doubt is how secure it is with the Entra ID business license. I don’t have the conditional access on my subscription, so the MFA is required every time for the Entra ID Global admins and when Microsoft want for the normal user. From my point of view can be acceptable because:

  1. The access from a new device require MFA
  2. The access from a new location require MFA
  3. The access from a device “know” (already authenticated with MFA) don’t not require MFA

It’s the same level of security level that I have with the microsoft portal.

I’m underestimating something?

Move to the Entra ID P1 is not an option now, the alternative could be to use the certificates, but the effort to managethis configuration is bigger.

We are about 70 users.

Thank you.

You’re right, your vpn will be as secure as your entra/azure environment is. In my opinion, this is more secure than trying to manage separate vpn login with mfa (more passwords to remember and reusing passwords). You could also enforce users to use microsoft authenticator to avoid mfa fatigue.

I want use the Authenticator app as MFA. My doubt is on the MFA request interval. Reading the Microsoft documentation, without conditional access the MFA is requested only when Microsoft want, not everytime. Is it enought in your opinion?

Thank you

i think it is depending on few other factors. Do you regularly train and test users on online/computer safety (phishing, virus, download links, etc)? How secure are these computers (bitlocker, lockout times, etc). I think going this route makes you susceptible to session high jacking attack. But then again, what are you doing to mitigate that currently for your m365 users?

You could try the following options.

  1. If you could lock the vpn client settings, then make sure “Use external browser as user-agent for saml user authentication” is not selected. Once the VPN disconnects, it’ll prompt the user to sign in through a pop up window every time. But if this option is selected it’ll let the user sign in automatically using the browser session. It makes it so much easier and seamless to sign into vpn.

  2. If you can’t lock the vpn client settings then, enable the “external browser” option and deploy the cert through GPO. I know you can deploy the vpn config through gpo (registry edits) but haven’t done the cert deployment yet. Alternatively since you’re about 70 users, you should look into action1 rmm. They provide free license for 100 computers and can use this tool to manage computers remotely. It does patch management, remote control, and system/app deployment and configurations. You could use this to deploy the vpn client and cert. And no i am not associated with action1 in anyway but i like that tool.

so I was curious about locking the controls on the client and spoke with fortinet support and they said the only way to lock the settings is if you buy ems (enterprise management server) subscription. I guess option 1 comes with price.

This just came to mind but as option 3. deploy a gpo to clear browser cookie on close and force computer restart every week.

Option 1 is not doable for me. I don’t have Forticlient EMS, I’m on free version.

I think the option 2 will be the only available if I want increase the Microsoft default security. Actually the VPN server on Fortigate is configured to use a Let’s Encrypt certificate. If I activate the option “Require Client Certificate” on “SSL-VPN Settings” can I use a client certificate signed by my domain CA? I’m a little bit confused how to configure the client certificate with the EntraID authentication. Is it supported or in case of client certificate authentication is better to move to LDAP autentication on on-premise active directory?