SSL VPN using FortiClient for iOS

In this recipe, you will create an SSL VPN that remote users connect to using FortiClient running on iOS.

When a user using an iOS device connects to this SSL VPN, they can access servers and data on the internal network. They can also securely browse the Internet using the FortiGate’s Internet connection.

This example uses FortiClient 5.2.0.028 for iOS. FortiClient can be downloaded from www.forticlient.com.

1. Creating users and a user group

Go to User & Device > User > User Definition.

Add as many local users as required with the User Creation Wizard.

Go to User & Device > User > User Groups.

Create a user group for FortiClient users and add the new user(s) to the group.

 

2. Creating an SSL VPN portal

 

Go to VPN > SSL > Portals.

Edit the web-access portal. This portal supports web mode by default.

Enable Split Tunneling is not enabled so that all SSL VPN traffic will go through the FortiGate unit.

 

3. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges. Use the default IP Range, SSLVPN_TUNNEL_ADDR1.

 

At the bottom of the page, under Authentication/Portal Mapping, add the FortiClient user group and map it to the web-access portal.

If necessary, map a portal for All Other Users/Groups.

 

4. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing SSL VPN user to access the internal network.

Set Incoming Interface to ssl.root. Set Source Address to all and Source User to the new user group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

 

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

 

5. Configuring FortiClient for SSL VPN in iOS

Install FortiClient on the iOS device. 

Add a new VPN Gateway.

Set Host Name to the FortiGate’s IP (in the example, 172.20.120.236), set Host Port to 10443, and set User Name to match the new user account.

 

6. Results

Select the VPN in FortiClient. Enter the Password and select Login.

 

You will be able to connect to the VPN.

 

On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor to see that the user has connected.

 

For further reading, check out FortiClient in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
Unlike other versions of FortiClient, FortiClient for iOS only supports web mode.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Ian

    Hi

    A bit confused as on page 8 of the document ” FortiClient (iOS) v5.2.0 Release Notes” it states “FortiClient (iOS) v5.2.0 supports SSL VPN web portal configuration. It does not support SSL VPN tunnel mode configuration.”

    • Victoria Martin

      Hello Ian,

      Sorry for the slow response. We have looked into the matter and updated the recipe to show that FortiClient for iOS requires web mode. Thank you for letting us know about this issue.

  • Xavier

    Tunnel Mode? Can you use tunnel mode with Forticlient for IOS?

    • Victoria Martin

      Hi Xavier,

      Yes, tunnel mode is the mode used by FortiClient, or any other VPN client, to connect to the FortiGate.

      • Xavier

        I think tunnel mode is supported for Windows and MacOs but not for iOS device, if not changed.

        In the ” FortiClient (iOS) v5.2.0 Release Notes” it states “FortiClient (iOS) v5.2.0 supports SSL VPN web portal configuration. It does not support SSL VPN tunnel mode configuration.”

        • Victoria Martin

          Hi Xavier,

          We are going to review this recipe to determine how FortiClient is connecting to the tunnel and make sure all the information is accurate. For the meanwhile, I would suggesting using the full-access portal, rather than tunnel-access, for FortiClient for iOS.

        • Victoria Martin

          Hello again Xavier,

          After testing the recipe, we have updated it to note that FortiClient for iOS requires web mode to work. Thank you for letting us know about this issue.

  • MJ

    Hello the DNS in FortiClient for iOS does not work. Why ?