Multi-realm SSL VPN tunnel

In this recipe you will learn how to create a simple multi-realm SSL VPN tunnel that provides different portals for different user groups. You will create the necessary user definitions and configure the SSL VPN portals, settings, and policies.

In the example, user ckent has full-access to both the web portal and tunnel mode, while user dprince has web-only access. Mozilla Firefox and the FortiClient application will test the tunnel’s accessibility.

The recipe assumes that a local interface has already been configured on the FortiGate, and that SSL-VPN Realms is enabled in the Features store (System > Config > Features).

1. Creating the users and user groups

Go to User & Device > User > User Groups and create separate user groups for web-only and full-access portals.

Add a user (in the example, ckent) to the user group for full-access SSL VPN connections.

Add a user (in the example, dprince) to the user group for web-only SSL VPN connections.

2. Configuring the SSL VPN realms

Go to VPN > SSL > Realms and configure two realms; one for each user group.
.
The URL shown is the address you will later enter into the web browser to test and connect to the web portals.

3. Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and edit the full-access portal.

Make sure Enable Split Tunneling is disabled.

 

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges in the SSLVPN_TUNNEL_ADDR1 range.

Under Authentication/Portal Mapping, add the SSL VPN user groups created previously.

Add the WebOnlyGroup to the web-access portal, and add the FullAccessGroup to the full-access portal.

Set the Realm accordingly for each portal mapping.

4. Configuring the multi-realm SSL VPN policy

Go to Policy & Objects > Policy > IPv4 and add a security policy allowing access to the internal network.

Set Incoming Interface to ssl.root.

Set Source Address to the SSL VPN tunnel address, and add the Source User groups you created.

  

Set Outgoing Interface to the local network interface so that the remote users can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

5. Results – Testing the web portal

To test the results of this configuration you must check the tunnel availability against the user groups assigned (and not assigned) to them.

To begin, use your web browser and navigate to the SSL VPN web portal for the web-only access group. In this case, the portal is located at
https://172.20.121.56:10443/web

Attempt to log into this portal first using the web-only user dprince. Log out after a successful attempt. Note how Tunnel Mode does not appear for the web-only user.

Upon logging out, attempt to connect to this portal again using the full-access group user ckent. Permission should be denied.


.

Next, attempt to log into the full-access portal, in this case located at
https://172.20.121.56:10443/full.

If you attempt to log in with user dprince, permission should be denied.

Log in successfully with user ckent. Tunnel Mode is now active with a successful connection.

Note that Tunnel Mode does not work on Google Chrome. If Tunnel Mode does not successfully connect, and you are using a compatible browser, you may need to update your FortiClient plugin.

Log out when you are satisfied with the full-access portal.


.

6. Results – Testing the FortiClient tunnel

Next, you will use the FortiClient standalone application to test the tunnel’s accessibility for each user group. Only user ckent should have access to this tunnel.

Open FortiClient and begin by creating a new SSL VPN tunnel.

Set Remote Gateway to the Internet-facing interface on the FortiGate.

Set Customize port to 10443 and Apply your changes.

Attempt to connect to this new tunnel using the web-only user dprince.
Permission should be denied.
Next, attempt to connect to the tunnel using the full-access user ckent.
Connection should be successful.  

7. Results – Logging and monitoring

Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entries.
Go to VPN > Monitor > SSL-VPN Monitor to verify the connection type and status.

8. Troubleshooting

If you’re having difficulty with this configuration, you can attempt to troubleshoot the SSL VPN. 

Go to System > Dashboard > Status and enter the commands shown here using the CLI Console and then attempt to connect to the tunnel.

diagnose debug disable
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug enable

For further reading, check out Basic SSL VPN configuration in the FortiOS 5.2 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Chris

    By default the full-access portal has split tunneling enabled so you would get an error trying to create an SSL VPN policy with a destination address of “all”. You need to either disable split tunneling on the full-access portal, or specify the actual destination address(es) of the “lan” interface using address object(s) or an address group.

    • Keith Leroux

      Thanks Chris, that is correct! I forgot to add this step (presumably I already had split tunneling disabled from a previous configuration).

      Cheers~