question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked LimitlessTechnology-2700 answered

User certificate validation - FortiClient VPN client

Hi, we have branch in Europe with whole staff working remotely via VPN - FortiClient VPN client is being used with user certificate as second factor authentication (issued from Enterprise CA in the US). CDP/AIA extensions of certificate are published in AD (LDAP).

My question is what would happen if link between Europe and US goes down? Will employees in Europe be able to connect to VPN and work with at least servers being hosted in Europe? My logic is that during validation CRL/AIA are checked and since they are in AD configuration partition FortiClient VPN client will find available DC in Europe (it can be even RODC) and confirm user certificate is OK hence let him/her in without any need to contact CA in the US that is unreachable.

Am I right and if so does the same process of validation always happen in the background for anything requiring certificates? Thank you very much in advance.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @BojanZivkovic-7448

As long as these are Domain Joined computers, that have at least connected once, will not have any problem. If you use domain credentials to log on to the VPN server, the certificate is automatically installed in the Trusted Root Certification Authorities store. However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may experience log in errors.

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.