VPN access
Most internal services (SSH, databases, admin UIs) are only reachable over VPN. LEF’s standard remote access is SSL-VPN with Entra SSO.
Entry point
Section titled “Entry point”- VPN portal: https://vpn.lef.digital:10443/ (login page:
/remote/login?lang=en)
Prerequisites (for collaborators)
Section titled “Prerequisites (for collaborators)”- You have an Entra account and the required VPN access (see Access control policy).
- You can complete MFA prompts (when required).
Connect (high level)
Section titled “Connect (high level)”- Open the VPN portal and sign in using Entra (SSO).
- Install the recommended VPN client (if prompted by the portal) or follow the client instructions provided by Infra.
- Connect, then access internal hostnames and services.
VPN policy (current)
Section titled “VPN policy (current)”- Maximum connection time: 24 hours (forced disconnect after that).
- FortiGate VPN modes:
- Web mode: disabled
- Tunnel mode: only
- Client: FortiClient is mandatory.
Latest update (2025-12-26)
Section titled “Latest update (2025-12-26)”- Confirmed
sslvpn-web-modeis disabled (browser access off). - Confirmed SSL-VPN remains tunnel mode only.
- Authentication remains via Entra (Azure) SSO.
- IPsec configuration is currently disabled; can be re-enabled later if we decide to migrate from SSL-VPN.
- Note from provider: Fortinet plans to discontinue SSL-VPN in the future (monitor roadmap and plan migration timing).
DNS over VPN
Section titled “DNS over VPN”- VPN clients receive internal DNS settings, including
dns.core.lef(192.168.20.40). - When internal hostnames don’t resolve, verify VPN connectivity first, then check dns.core.lef and DNS split horizon.
Entra SAML (FortiGate SSL-VPN)
Section titled “Entra SAML (FortiGate SSL-VPN)”We use FortiGate SSL VPN with SAML-based sign-on configured in Microsoft Entra (entra.microsoft.com).
Basic SAML configuration (current)
Section titled “Basic SAML configuration (current)”| Field | Value |
|---|---|
| Identifier (Entity ID) | https://vpn.lef.digital:10443/remote/saml/metadata |
| Reply URL (Assertion Consumer Service URL) | https://vpn.lef.digital:10443/remote/saml/login |
| Sign on URL | https://vpn.lef.digital:10443/remote/saml/login |
| Relay State | Optional |
| Logout URL | https://vpn.lef.digital:10443/remote/saml/logout |
Attributes & claims (current)
Section titled “Attributes & claims (current)”| Claim | Source |
|---|---|
givenname | user.givenname |
surname | user.surname |
emailaddress | user.mail |
name | user.userprincipalname |
username | user.userprincipalname |
group | user.groups |
| Unique User Identifier | user.userprincipalname |
VPN authorization (groups)
Section titled “VPN authorization (groups)”FortiGate access policies reference Entra group Object IDs.
| Group | Object ID | Source | Access scope |
|---|---|---|---|
| VPN Entra | 4e76a567-afd4-4a37-ab9e-6c590510213c | Cloud | TODO (confirm intended scope) |
| VPN Users | 7c7f6e8a-1b53-4968-bfc1-d0a3b2ba4f18 | Windows Server AD | Full access (standard VPN users) |
| VPN Report App | a786b7ac-fb4c-40f2-ae64-5d61bf791ada | Cloud | Limited to np-ritmo |
Validate
Section titled “Validate”- Confirm you can reach internal admin UIs (see Services).
- If you still can’t resolve internal hostnames, check split-horizon DNS (see DNS split horizon).
Operational notes (Infra)
Section titled “Operational notes (Infra)”- SSL-VPN is terminated at the EVEO-managed perimeter firewall (see Firewall & public ingress). Public traffic is restricted to HTTP(S) forwarding; operator access stays VPN-only (see Access).
- Treat VPN configuration artifacts as sensitive. Don’t store them in Git.
Known risks / failure modes
Section titled “Known risks / failure modes”- Not on VPN → internal DNS and services are unreachable.
- Missing group/app assignment in Entra → SSO succeeds but access is denied.
- DNS resolves to the public IP from inside LAN/VPN → fix split-horizon DNS.