SSL VPN for remote users


This example provides remote users with access to the corporate network using SSL VPN and connection to the Internet through the corporate FortiGate unit. During the connecting phase, the FortiGate unit will also verify that the remote user’s antivirus software is installed and current.


1. Creating an SSL VPN portal for remote users

Go to VPN > SSL > Portals.

Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes.

Enable Split Tunneling is not enabled, so that all Internet traffic will go through the FortiGate unit and be subject to the corporate security profiles.

If you do Enable Split Tunneling, traffic not intended for the corporate network does not traverse the tunnel, and consequently is not subject to the corporate security profiles.

In this case, you are prompted to choose a Routing Address. The Routing Address is the address that your corporate network is using (in this case, Local LAN).

In short, traffic intended for the Routing Address will not be split from the tunnel.


Select Create New in the Predefined Bookmarks area to add a bookmark for a remote desktop link/connection.

Bookmarks are used as links to internal network resources.

You must include a username and password. You will create this user in the next step, so be sure to use the same credentials.

2. Creating a user and a user group

Go to User & Device > User > User Definition.

Add a remote user with the User Creation Wizard (in the example, twhite, with the same credentials used for the predefined bookmark).

Go to User & Device > User > User Groups.

Add the user twhite to a user group for SSL VPN connections.

3. Adding an address for the local network

Go to Policy & Objects > Objects > Addresses.

Add the address for the local network. Set Subnet / IP Range to the local subnet and set Interface to an internal port.

4. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges.

Under Authentication/Portal Mapping, add the SSL VPN user group.

5. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4.

Add a security policy allowing access to the internal network through the ssl.root VPN tunnel interface.

Set Incoming Interface to ssl.root.

Set Source Address to all and select the Source User group you created in step 2.

Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

6. Setting the FortiGate unit to verify users have current AntiVirus software

Go to System > Status > Dashboard.

In the CLI Console widget, enter the commands on the right to enable the host to check for compliant AntiVirus software on the remote user’s computer.

config vpn ssl web portal
  edit full-access
    set host-check av

7. Results

Log into the portal using the credentials you created in step 2.

The FortiGate unit performs the host check.

After the check is complete, the portal appears.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users. The Web Application description indicates that the user is using web mode.

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

In the Tunnel Mode widget, select Connect to enable the tunnel.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.

The tunnel description indicates that the user is using tunnel mode.

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

Go to Log & Report > Traffic Log > Forward Traffic.

Internet access occurs simultaneously through the FortiGate unit.

Select an entry to view more information.

For further reading, check out Basic SSL VPN configuration in the FortiOS 5.2 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No
You may need to install the FortiClient application using the available download link.
  • Dan Cooper

    Very useful, it is possible to choose which SSL vpn portal I connect too. I have 2 ssl vpns portals which my user has access too, but each one has different access to different vlans. How do I choose which one I connect to through the Forticlient.

    • Keith Leroux

      Hi Dan, as I understand it, if you’re using realms to control user group access, you simply specify the realm URL after the VPN Gateway IP in FortiClient.

      • Dan Cooper

        Thanks, the Realms feature was not enable. Did that. and it works thanks

  • William White

    I have this setup and it works fine until I enable endpoint compliance on the ssl.root interface. At that point all traffic is blocked. I am only planning to use the forticlient and I would like to enforce that. Is this possible?

  • Thanks, works great. For those who are getting DNS probe failed on client end, try manually setting DNS servers in “VPN > SSL-VPN Settings”. To test, try using Google’s and Then re-connect at client end, hopefully all works as intended and you can set whatever your real DNS is.

    Also, if you are getting SSL error warning in Windows 10 client due to default Fortigate cert, enter the https:// VPN url with “?ice=1” at the end to disable the checks (until you get a real cert).

  • Prasad

    I am using fortigate 50b with 4.3.4. I am configuring SSL-VPN for my remote user. After configuration remote user is able to connect via forticlient. Surprisingly remote user is able to connect to internet but not able to access resources in LAN.
    I already have policies and route at place.

    • Keith Leroux

      Hi Prasad,

      Have you added the SSL VPN user group to the internal access policy?

  • KingPusha

    Heyo, how can I add a default AD domain on RDP login window? A little bit arduous to explain all my users what it’s a windows domain…

  • Ziad Zahran

    How can i view which VPN user accessed my network using the froticlient app?
    is there any option in the log to view the username?

    • Victoria Martin

      The VPN Monitor shows the username and which mode was used to connect (for FortiClient, it would be Tunnel Mode).

  • Chris Mahoney

    Also you might want to add that under System > Settings you need to change the listening HTTPS port from 443 to 4433 or 4444 or something else than 443. This will prevent the conflict of the 443 traffic going to the management login.

    • Adam Bristow

      Hello Chris,

      Thank you for your comment! This can also be remedied by changing the Listen on Port field to 10443 under VPN > SSL > Settings (in step 4). I will make the change immediately.

      If you’d like, check out the more recent 5.4 version of this recipe here:

      Best regards,


  • Juliet Bell

    Using VPN to access work computer from home is secured and good, but VPN is costly, Instead, I would recommend use of on premise remote support solution such as R-HUB remote support servers. It works from behind your firewall and is only one time cost.

  • MatthiasB

    Is it possible to use an alternate IP on wan1 interface?

    • Victoria Martin

      Hi Matthias,

      If you mean use a different IP than what is in the recipe, then yes, you should be using the real IP of your wan1 interface. The IPs in our recipes are just used as examples and are almost always IP addresses that are restricted for private networks (172.20.x.x, 192.168.x.x, and 10.10.x.x).

      Please let me know if you meant something different.

  • Toshi Esumi

    Since the handbook 5.2 contained wrong info especially for the policies, I opened a TT#1526539 and I was directed to this page. It works but the tech confirmed NAT was never needed on the policy.

    • Keith Leroux

      Hello Toshi,

      I plan to update the 5.2 handbook chapter as soon as possible. Thank you for your comment!

  • PetrM

    Hi Keith,
    Thank you for the recipe.
    Is it possible to limit access for specific SSL VPN portal from specific hosts?

  • Dan Farrell

    This does not include the option for “routing address” and the handbook does not describe it. This is a feature that has been added without definition, description, or example. Please add something about this.

    • Keith Leroux

      Thanks Dan! I’ve updated the recipe to describe Routing Address. The SSL VPN Handbook chapter will be updated shortly.