SSL VPN for remote users

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example provides remote users with access to the corporate network using SSL VPN and connection to the Internet through the corporate FortiGate unit. During the connecting phase, the FortiGate unit will also verify that the remote user’s antivirus software is installed and current.

 

1. Creating an SSL VPN portal for remote users

Go to VPN > SSL > Portals.

Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes.

Enable Split Tunneling is not enabled, so that all Internet traffic will go through the FortiGate unit and be subject to the corporate security profiles.

If you do Enable Split Tunneling, traffic not intended for the corporate network does not traverse the tunnel, and consequently is not subject to the corporate security profiles.

In this case, you are prompted to choose a Routing Address. The Routing Address is the address that your corporate network is using (in this case, Local LAN).

In short, traffic intended for the Routing Address will not be split from the tunnel.

 

Select Create New in the Predefined Bookmarks area to add a bookmark for a remote desktop link/connection.

Bookmarks are used as links to internal network resources.

You must include a username and password. You will create this user in the next step, so be sure to use the same credentials.

2. Creating a user and a user group

Go to User & Device > User > User Definition.

Add a remote user with the User Creation Wizard (in the example, twhite, with the same credentials used for the predefined bookmark).

Go to User & Device > User > User Groups.

Add the user twhite to a user group for SSL VPN connections.

3. Adding an address for the local network

Go to Policy & Objects > Objects > Addresses.

Add the address for the local network. Set Subnet / IP Range to the local subnet and set Interface to an internal port.

4. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges.

Under Authentication/Portal Mapping, add the SSL VPN user group.

5. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4.

Add a security policy allowing access to the internal network through the ssl.root VPN tunnel interface.

Set Incoming Interface to ssl.root.

Set Source Address to all and select the Source User group you created in step 2.

Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

6. Setting the FortiGate unit to verify users have current AntiVirus software

Go to System > Status > Dashboard.

In the CLI Console widget, enter the commands on the right to enable the host to check for compliant AntiVirus software on the remote user’s computer.

config vpn ssl web portal
  edit full-access
    set host-check av
  end
end

7. Results

Log into the portal using the credentials you created in step 2.

The FortiGate unit performs the host check.

After the check is complete, the portal appears.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users. The Web Application description indicates that the user is using web mode.

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

In the Tunnel Mode widget, select Connect to enable the tunnel.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.

The tunnel description indicates that the user is using tunnel mode.

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

Go to Log & Report > Traffic Log > Forward Traffic.

Internet access occurs simultaneously through the FortiGate unit.

Select an entry to view more information.

For further reading, check out Basic SSL VPN configuration in the FortiOS 5.2 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux
  • Was this helpful?
  • Yes   No
You may need to install the FortiClient application using the available download link.
  • Chris Mahoney

    Also you might want to add that under System > Settings you need to change the listening HTTPS port from 443 to 4433 or 4444 or something else than 443. This will prevent the conflict of the 443 traffic going to the management login.

    • Adam Bristow

      Hello Chris,

      Thank you for your comment! This can also be remedied by changing the Listen on Port field to 10443 under VPN > SSL > Settings (in step 4). I will make the change immediately.

      If you’d like, check out the more recent 5.4 version of this recipe here:
      http://cookbook.fortinet.com/ssl-vpn-using-web-and-tunnel-mode-54/

      Best regards,

      Adam

  • Juliet Bell

    Using VPN to access work computer from home is secured and good, but VPN is costly, Instead, I would recommend use of on premise remote support solution such as R-HUB remote support servers. It works from behind your firewall and is only one time cost.

  • MatthiasB

    Is it possible to use an alternate IP on wan1 interface?

    • Victoria Martin

      Hi Matthias,

      If you mean use a different IP than what is in the recipe, then yes, you should be using the real IP of your wan1 interface. The IPs in our recipes are just used as examples and are almost always IP addresses that are restricted for private networks (172.20.x.x, 192.168.x.x, and 10.10.x.x).

      Please let me know if you meant something different.

  • Toshi Esumi

    Since the handbook 5.2 contained wrong info especially for the policies, I opened a TT#1526539 and I was directed to this page. It works but the tech confirmed NAT was never needed on the policy.

    • Keith Leroux

      Hello Toshi,

      I plan to update the 5.2 handbook chapter as soon as possible. Thank you for your comment!

  • PetrM

    Hi Keith,
    Thank you for the recipe.
    Is it possible to limit access for specific SSL VPN portal from specific hosts?

  • Dan Farrell

    This does not include the option for “routing address” and the handbook does not describe it. This is a feature that has been added without definition, description, or example. Please add something about this.

    • Keith Leroux

      Thanks Dan! I’ve updated the recipe to describe Routing Address. The SSL VPN Handbook chapter will be updated shortly.

      Cheers~