SSL VPN using FortiClient for iOS

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will create an SSL VPN that remote users connect to using FortiClient running on iOS.

When a user using an iOS device connects to this SSL VPN, they can access servers and data on the internal network. They can also securely browse the Internet using the FortiGate’s Internet connection.

This example uses FortiClient 5.2.0.028 for iOS. FortiClient can be downloaded from www.forticlient.com.

1. Creating users and a user group

Go to User & Device > User > User Definition.

Add as many local users as required with the User Creation Wizard.

Go to User & Device > User > User Groups.

Create a user group for FortiClient users and add the new user(s) to the group.

 

2. Creating an SSL VPN portal

 

Go to VPN > SSL > Portals.

Edit the web-access portal. This portal supports web mode by default.

Enable Split Tunneling is not enabled so that all SSL VPN traffic will go through the FortiGate unit.

 

3. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges. Use the default IP Range, SSLVPN_TUNNEL_ADDR1.

 

At the bottom of the page, under Authentication/Portal Mapping, add the FortiClient user group and map it to the web-access portal.

If necessary, map a portal for All Other Users/Groups.

 

4. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing SSL VPN user to access the internal network.

Set Incoming Interface to ssl.root. Set Source Address to all and Source User to the new user group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

 

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

 

5. Configuring FortiClient for SSL VPN in iOS

Install FortiClient on the iOS device. 

Add a new VPN Gateway.

Set Host Name to the FortiGate’s IP (in the example, 172.20.120.236), set Host Port to 10443, and set User Name to match the new user account.

 

6. Results

Select the VPN in FortiClient. Enter the Password and select Login.

 

You will be able to connect to the VPN.

 

On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor to see that the user has connected.

 

For further reading, check out FortiClient in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
Unlike other versions of FortiClient, FortiClient for iOS only supports web mode.
  • Jose Marquez

    we can connect thru vpn but when the VPn connected we cannot browse anymore in internet. in windows there is no problem… but in IOS the inter net block.. any solution?

  • Alexander Tatevyan

    Hi. Under asterisk, you state, that FortiClient supports only Web Mode. Really? Then why we ever need a client on iOS, if it can’t make use of tunnel mode??? Can you shed some more light on this topic? Also, what is the reason, that FortiClient is so limited on iOS? Besides, I would highly recommend rewriting this recipe, and adding a paragraph describing the FortiClient for iOS behavior. Just putting an asterisk there is not the best decision (one might even miss it while reading, and then struggle with the Permission Denied error he gets on the iOS devices)

  • me mine

    Any chance this could be updated for Fortios v5.6?

    • Victoria Martin

      In 5.6, FortiClient for iOS connects using tunnel mode, the same as FortiClient on other platforms. So you can use this recipe to set up your VPN: http://cookbook.fortinet.com/ssl-vpn-using-web-tunnel-mode-56/

      • me mine

        Thanks Victoria. On the link you provided it doesn’t seem to provide an option like the above instructions step #4 has regarding specifically allowing connection of a VPN to the internet only. I want to configure it in a way that allows VPN connection to the internet only.

        • Victoria Martin

          The second policy created in step 5 of the recipe I linked allows VPN connects access to the Internet. If you don’t want to allow VPN access to the internal network, all you need to do is not create the first policy shown in that step.

    • Alexander Tatevyan

      What about latest 5.4.4? Still no tunnel mode? What is so different between 5.6 and 5.4.4 regarding the ForciClient operation? Generally, you state, that it is client’s limitation, not the firewall itself, but now you say, that in 5.6 same client works in tunnel mode, too?! That’s quite controversial.

      • Victoria Martin

        FortiClient for iOS 5.4 only uses tunnel mode. Previously, it could only connect using web mode.

  • MJ

    Hello the DNS in FortiClient for iOS does not work. Why ?

  • Xavier

    Tunnel Mode? Can you use tunnel mode with Forticlient for IOS?

    • Victoria Martin

      Hi Xavier,

      Yes, tunnel mode is the mode used by FortiClient, or any other VPN client, to connect to the FortiGate.

      • Xavier

        I think tunnel mode is supported for Windows and MacOs but not for iOS device, if not changed.

        In the ” FortiClient (iOS) v5.2.0 Release Notes” it states “FortiClient (iOS) v5.2.0 supports SSL VPN web portal configuration. It does not support SSL VPN tunnel mode configuration.”

        • Victoria Martin

          Hi Xavier,

          We are going to review this recipe to determine how FortiClient is connecting to the tunnel and make sure all the information is accurate. For the meanwhile, I would suggesting using the full-access portal, rather than tunnel-access, for FortiClient for iOS.

        • Victoria Martin

          Hello again Xavier,

          After testing the recipe, we have updated it to note that FortiClient for iOS requires web mode to work. Thank you for letting us know about this issue.

  • Ian

    Hi

    A bit confused as on page 8 of the document ” FortiClient (iOS) v5.2.0 Release Notes” it states “FortiClient (iOS) v5.2.0 supports SSL VPN web portal configuration. It does not support SSL VPN tunnel mode configuration.”

    • Victoria Martin

      Hello Ian,

      Sorry for the slow response. We have looked into the matter and updated the recipe to show that FortiClient for iOS requires web mode. Thank you for letting us know about this issue.