We got fortigate deployed in our network, company wants the wfh employees to connect to company network before accessing the internet. I thought of using the fortinet vpn for this but how do I force windows, mac, and linux uses to connect to company network and if they don’t the internet should not work… We have all the pcs connected to windows domain except linux and mac.
EMS. Have FortiClient automatically connect by itself. Unless you want to avoid EMS and add another system to your network stack.
Can go a step further and set services like 365 to only allow access via company network when using a pc
I’d probably check if EMS works on Mac and Linux though I’m sure someone can confirm
Make some required resource available only on internal DNS, or only from your IP. It’s not perfect, but it should catch over 90% of your users
You can set up global secure access through entra and deploy the client through Intune.
What you’re looking for is an always-on VPN that is full tunneled. That would be the more “traditional” method of handling it.
You may be able to accomplish this with something like a SASE, but you’d have to purchase another tool. The above is doable with just a Fortinet + VPN.
Reading through your replies you really need something like zScaler’s ZIA to do what you want.
I think you need to carefully consider why, not how… and consider the implications to your network and overall performance for those users.
Cheapest and simplest option if using M365?
Use conditional access for all of your apps that must be authenticated against through the company network.
It won’t prevent them from using other networks but they won’t be able to access company services unless connected to the company network.
Sometimes it’s an X-Y-problem, therefore it might be helpful explaining why the company wants users to do this. So, what’s the reason behind this idea?
Use a cloud filter like zscaler or Microsoft Entra Internet Access. Then no VPN is needed.
So you are having a reaction to an incident that happened and going down the wrong path (IMHO). Always on VPN is a way of doing things from years ago (nothing wrong with it) but if you have any modern services in the cloud all of the major players have modern and better ways of applying DLP And rule sets to your endpoints without tunneling all that traffic back via your Datacenter. Your end users will have a better experience.
I would look at full Intune enrollment with OneDrive syncing known folders. You’ll have complete management of the machine being able to track everything without forcing that VPN. If you do t want to be that liberal, you setup conditional access policies to block access to apps outside the corporate network.
I don’t know about Forti, but Cisco Anyconnect can Chek if certain sites accessible or if certain network settings have been applied (implied to be via internal DHCP) and won’t start the VpN. They call it trusted network detection. Does Forti do that?
if you want to force software and connections, provide them with a work laptop. don’t expect people to be willing to give their company any sort of control over their personal machines. i sure as hell would never give it
Always on tunnels like todyl or zscaler
Lots of ridiculous suggestions in here. Do these folks even read the OP’s question?
There’s a number of ways to achieve this within the Fortinet ecosystem. Your best bet is to use FortiClient EMS and their Auto-Discovery VPN feature which will automatically turn on/off the VPN connection when clients move to and from the corporate network. It’s an option in the VPN profile along with enabling Full-tunnel.
Your biggest hurdle will be Linux as EMS is very limited when it comes to VPN controls.
If you don’t have EMS, you can use an MDM. If you do not have either of those, then you can look at some more modern controls others have suggested here. At the very least, you can put services behind the VPN which will require them to connect but this is outside of what you are asking for.
Either way, this is a good opportunity to convince your higher-ups to not go this route unless you’d like to. Lots of things to consider like costs, implementation time, maintenance, etc. Sticker shock em lol
Cloudflare warp zero trust.
How do you manage the endpoints? If you have an MDM, have it lock the computer down until the VPN is established. Force it to set the DNS servers to your specific DNS servers. Don’t let external IPs access internal resources.
If you don’t have an MDM, and are relying on users, you’ve already lost. Give up. Try again in 5 years.
You can use conditional access to prevent users from accessing email/teams/office 365 unless they are on VPN.
If you really want to go deep get something like OpenDNS/Cisco Umbrella and utilize the roaming client to control DNS at all times.
Do you have split tunnel traffic setup for VPN?