SSL VPN using FortiClient (Video)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this video, you will create an SSL VPN that remote users can connect to using FortiClient. Using this VPN, users will be able to access servers and data on the internal network, as well as securely browse the Internet using the FortiGate’s Internet connection.

In this video, we’ll be using FortiClient for iOS.

The recipe for this video is available here.

Watch more videos

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
  • Greg

    They say to change the port as to not conflict with admin portal, wouldn’t it better practice to change the admin portal so the VPN is using the standard port? Or is it just preference? Personally I would rather not have to tell my users any more steps than necessary.

    • Keith Leroux

      Hi Greg,

      I think it depends. In cases where you have external admin management, you’d need the admin port to be on 443 (or, as I’ve read, in cases where you have a web server behind the FortiGate). But in cases where you have ‘road warriors’, and 10443 might be blocked in hotels/airports, then you might want the SSL VPN port to be 443. I don’t think it’s a matter of preference so much as it’s a matter of accessibility.

  • Keith Leroux

    Hello Nishit,
    When you disable “Split tunneling” (as in the video above), all traffic goes through the FortiGate. So, when you connect to the VPN and go to google.com, you are using the work ISP. If you enable split tunneling, then only traffic destined for the ‘work’ network goes through the tunnel. All other traffic (i.e., google.com) goes through your ISP.

    I don’t know that you necessarily need a policy from ssl interface to LAN, but you do need one for ssl interface to wan. Either way, yes NAT must be enabled.

    • Nishit Patel

      So if I am connected to the VPN and “split tunneling” is disabled and if my home ISP goes down, would I still be connected to the internet through work ISP or it also goes down? Also would I be getting the same bandwidth as of work ISP?

      • Keith Leroux

        Hello Nishit,
        If your home ISP goes down, you will lose connection to the tunnel. Also, I believe your bandwidth is limited by both ISPs (whichever has less).

        • Nishit Patel

          Hi Keith,
          Is there a way to check the throughput when connected via VPN? How many max users can connect to the VPN at once? For e.g. if 100 users are connected to the VPN how to check the performance? Will it impact if 50 users connect to the VPN via same WAN IP?

  • Nishit Patel

    After setting SSL VPN as per above, once I connect to it from home and go to google.com would I be using my home ISP or work? NAT must be enabled for policy for ssl interface – local LAN?