VPN access (platform)
Most internal services (SSH, databases, admin UIs) are only reachable over VPN. LEF’s standard remote access is SSL-VPN with Entra SSO.
For connecting and troubleshooting (symptom-driven), see VPN access (support).
For the VPN service entry point, see VPN.
VPN policy (current)
Section titled “VPN policy (current)”- Maximum connection time: 24 hours (forced disconnect after that).
- FortiGate VPN modes:
- Web mode: disabled
- Tunnel mode: only
- Client: FortiClient is mandatory.
Latest update (2025-12-26)
Section titled “Latest update (2025-12-26)”- Confirmed
sslvpn-web-modeis disabled (browser access off). - Confirmed SSL-VPN remains tunnel mode only.
- Authentication remains via Entra (Azure) SSO.
- IPsec configuration is currently disabled; can be re-enabled later if we decide to migrate from SSL-VPN.
- Note from provider: Fortinet plans to discontinue SSL-VPN in the future (monitor roadmap and plan migration timing).
DNS over VPN
Section titled “DNS over VPN”- VPN clients receive internal DNS settings, including
dns.core.lef(192.168.20.40). - When internal hostnames don’t resolve, verify VPN connectivity first, then check dns.core.lef and DNS split horizon.
VPN IP addressing (reference)
Section titled “VPN IP addressing (reference)”- For the VPN client IP pool and addressing facts, see VPN client addressing (reference).
Entra SAML (FortiGate SSL-VPN)
Section titled “Entra SAML (FortiGate SSL-VPN)”We use FortiGate SSL VPN with SAML-based sign-on configured in Microsoft Entra (entra.microsoft.com).
Basic SAML configuration (current)
Section titled “Basic SAML configuration (current)”| Field | Value |
|---|---|
| Identifier (Entity ID) | https://vpn.lef.digital:10443/remote/saml/metadata |
| Reply URL (Assertion Consumer Service URL) | https://vpn.lef.digital:10443/remote/saml/login |
| Sign on URL | https://vpn.lef.digital:10443/remote/saml/login |
| Relay State | Optional |
| Logout URL | https://vpn.lef.digital:10443/remote/saml/logout |
Attributes & claims (current)
Section titled “Attributes & claims (current)”| Claim | Source |
|---|---|
givenname | user.givenname |
surname | user.surname |
emailaddress | user.mail |
name | user.userprincipalname |
username | user.userprincipalname |
group | user.groups |
| Unique User Identifier | user.userprincipalname |
VPN authorization (groups)
Section titled “VPN authorization (groups)”FortiGate access policies reference Entra group Object IDs.
| Group | Object ID | Source | Access scope |
|---|---|---|---|
| VPN Entra | 4e76a567-afd4-4a37-ab9e-6c590510213c | Cloud | TODO (confirm intended scope) |
| VPN Users | 7c7f6e8a-1b53-4968-bfc1-d0a3b2ba4f18 | Windows Server AD | Full access (standard VPN users) |
| VPN Report App | a786b7ac-fb4c-40f2-ae64-5d61bf791ada | Cloud | Limited to np-ritmo |
Operational notes (Infra)
Section titled “Operational notes (Infra)”- SSL-VPN is terminated at the EVEO-managed perimeter firewall (see Firewall & public ingress).