SSL VPN using web and tunnel mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by web mode using a web browser or tunnel mode using FortiClient. This allows users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this example.

For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security scanning to this traffic.

During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software is installed and up-to-date.

1. Creating a user and a user group

Go to User & Device User Definition. Create a local user account for a SSL VPN user.

 
 
 

Go to User & Device > User Groups. Create a user group for SSL VPN users and add the new user account.

2. Creating an SSL VPN portal for remote users

Go to VPN > SSL-VPN Portals. Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode.

Make sure Enable Split Tunneling is not selected, so that all Internet traffic will go through the FortiGate.

Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Predefined Bookmarks, select create new to add a new bookmark. Bookmarks are used as links to internal network resources.

In the example, a bookmark is added to connect to a FortiGate being used as an ISFW, which can be accessed at https://192.168.200.111.

3. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1.

To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host.

In the example, the Fortinet_Factory certificate is used as the Server Certificate. It is, however, recommended that you purchase a certificate for your domain and upload it for use with an SSL VPN.

Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Authentication/Portal Mapping, add the SSL VPN user group and map it to the full-access portal.

If necessary, map a portal for All Other Users/Groups.

4. Adding an address for the local network

Go to Policy & Objects > Addresses.

Add the address for the local network. Set Type to IP/Netmark, Subnet/IP Range to the local subnet, and Interface to an internal port.

5. Adding security policies for access to the internal network and Internet

Go to Policy & Objects > IPv4 Policy. Add a security policy allowing access to the internal network through the VPN tunnel interface. Set a policy name that will identify what this policy is used for (in the example, SSL-VPN-internal)

Set Incoming Interface to ssl.root and Outgoing Interface to the local network interface. Select Source and set Address to all and Source User to the SSL-VPN user group. Set Destination Address to the local network address, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root, Outgoing Interface is set to wan1, and Destination is set to all.

6. Setting the FortiGate unit to verify users have current AntiVirus software

Go to the Dashboard. In the CLI Console widget, enter the following commands to enable the host to check for compliant AntiVirus software on the remote user’s computer:

config vpn ssl web portal
  edit full-access
    set host-check av
  end

 

7. Results

The steps for connecting to the SSL VPN different depending on whether you are using a web browser or FortiClient.

Web browsers:

Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example, 172.20.121.46:10443)

Use the SSL VPN user’s credentials to authenticate.

The web portal appears.

In this example, selecting the ISFW Bookmark allows you to connect to the ISFW FortiGate.
To connect to the Internet, select Quick Connection. Select HTTP/HTTPS, then enter the URL and select Launch.
The website will launch.
You can also use the Quick Connection for other allowed types of traffic, such as SSH.

An SSH connection will open in your browser, connecting to the requested Host.

Java is required for an SSH connection.

On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.

FortiClient:

If you have not done so already, download FortiClient from www.forticlient.com.

Open the FortiClient Console and go to Remote Access. Add a new connection.

Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example, 172.20.121.46). Select Customize Port and set it to 10443.

Select Add.

Connect to the VPN using the SSL VPN user’s credentials.
You are able to connect to the VPN tunnel.
On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles. You will also have to set your corporate network’s address as the Routing Address.
  • Limbad Sagar

    Hi Victoria Martin,

    i would like to thank you for this
    document, i’ve config VPN Tunnel mode and Split tunneling disable and i
    create to SSL to WAN interface policy and working very well but i query
    when user login FortiClient Application then easily used Internet but
    it’s possible FortiClient user when used Internet service and they
    getting Authentication Page again in browser. i Hope you understand our
    concept.

    Thank you.

    Limbad Sagar

  • nguyễn duy thiện

    Hi all
    i reconfig the vpn ssl , but when i connect by Forticlient , it alway notify error like that, can you help me fix it or the Fortinet VM64 have it limit itself https://uploads.disquscdn.com/images/b7844133c0f6bca4174ef6c6c8475e1b120885deeaa4999b34aabe342611405b.jpg
    thanks and regards

  • nguyễn duy thiện

    i config the vpn ssl , but when i connect by Forticlient , it alway notify error like that, can you help me fix it
    thanks and regards https://uploads.disquscdn.com/images/541fca0168170462ac77ea0352b0bf16f1a2ba6ddb25670b0500f26019eea0c9.jpg

  • harold

    Hey Victoria,
    Why would we be able to connect to workplace with the Fortigate VPN, but only RDP to some PC’s/Servers? We are able to connect via the vpn, but then when trying to remote to say my computer at my desk, i receive an error saying i cannot remote to it…blah..contact admin…, but another pc..RDP’s just fine. This server I can RDP just fine…this other server, error message. (Have checked the remote settings on devices and even setting them to “let anybody RDP to this device” still no go. There doesn’t seem to be any why or wherefore to this. Do you have a clue? Any help/advise/comment is appreciated. Thanks, Harold, Alachua County Library District, Gainesville,Fl.

  • Lakshmi Narasimhan

    Is it possible to have bidirectional communication in Fortigate SSL VPN client? i.e) from server to client and client from server. Fortigate firewall allows access from client machine to Server network

  • Michael

    I followed this setup to successfully set up LAN access via SSL VPN on a FortiGate 51E with 5.4.3. However, I struggle to create the SSL VPN to WAN policy. I just can’t select any of my WAN interfaces in the outgoing interface box. The moment I select SSL-VPN as incoming interface, the WAN interfaces dissapear. Screenshot attached.

    I’m using a WAN load balancing across both WAN inter faces, however, at the moment only one of them is actually functional. Is this the reason for this behaviour?

    https://uploads.disquscdn.com/images/8e73947738f7026db03805052b1929eccc763ee8b964130c6b04a721fff6a967.png

    https://uploads.disquscdn.com/images/6010683bfb83f09e1b4249d40f7d87ba6618346d9e61a10a2ee018571e5efffe.png

    • Michael

      Well the answer is a few posts further down. Using wan load balancing, you can’t create a policy SSL-VPN to WAN any more.

      I can’t see why though. I’ll see if I can get some answers out of fortinet support.

      • jeffrey

        I contacted support, they said it’s a bug, with ID: 396236, and to upgrade from 5.4.x to 5.6 to resolve this issue, just tested and it’s working now for me.

  • Piero Lasaracina

    Hi all,

    I use forticlient to connect my company’s vpn, but now I need to use the api to automaticly oppen a vpn connection inside a VB.NET program.

    Does anyone has some exemple?

    Thank you

    Peter

  • Tearlach

    I see there are DNS settings — I assume this means you can avoid split DNS. Is this correct?

  • Alberto Mena Tinoco

    How can I route traffic from the SSL VPN to the IPSEC VPN.

    I
    have 2 IPSEC VPNs configured with the 192.168.2.0/24 and 192.168.3.0/24
    networks and the configured address range for the SSL VPN is
    192.168.100.0/24.

    How can I access the remote IPSEC VPN sites through SSL VPN?

  • Jesus Garcia

    can we modify what is shown in the quick connection tool web page?

    I mean can we modify the options shown in the following image?

    https://uploads.disquscdn.com/images/c05749969a7bd520c7cffd872efd12427c628d5559dafd824869182f04986ca1.png

    Regards,

    Jesus Garcia

    • I am very curious about the answers to these questions.

    • Keith Leroux

      Hi Jesus Garcia,

      I don’t know of any way to modify the Quick Connection widget options, but as a workaround you might opt to disable the Quick Connection widget (in the ‘SSL-VPN Portals’ section of the admin GUI) and use Personal Bookmarks instead.

      Cheers!

      • Jesus Garcia

        Thanks Keith

  • Nishit Patel

    I upgraded from 5.2.10 to 5.4.4. Whe ssl-vpn configured in web mode and tunnel mode. We use firefox to connect to work network. But when we login, we don’t see tunnel mode and also don’t see connect button?

  • Whitney Lo

    how can I add security policies for access to the Internet if I am using wan load balancing. I cannot find wan1 or wan 2 or wan load balance on outgoing interface

  • Michael P. Gray

    I must be missing something. I followed this recipe with minor changes for IP information. I can authenticate when making the VPN connection. I can check the logs and see the connected client. The client gets a proper address in the subnet that I identified, and gets the DNS entries that I specified but no gateway. The client cannot access anything in the internal LAN. What am I missing?

    • Keith Leroux

      Hi Michael–shot in the dark, but did you add the user group to the sslvpn->internal policy?

      • Michael P. Gray

        Yes. My policy looks identical to that of step 5 above with the exception of the icon for the LAN on the outgoing interface. It has the two green intersecting arrowed lines.

        • Michael P. Gray

          I (thanks to the Fortinet support) found the issue to be the machine I was using to test. I grabbed another laptop and it worked. I reformatted the original laptop and it now works on that as well.

          • Keith Leroux

            Fantastic! Thanks for following up with us.

  • iacopo

    Hello.
    Is 10443 port a must if you want to change from default port (443)? I would like to change to a different port than 443 or 10443 but it seems it’s not working, am I missing something?

    Thanks!

    • Victoria Martin

      Hello,

      Port 10443 is an unassigned port, which is why it was used for the VPN. Any other unassigned port can also be used without causing conflict.

      If you are having trouble using a different port, doublecheck that you are using the correct port number in your URL (if you are using web mode) or FortiClient (for tunnel mode). If after checking this you still have trouble, I would recommend contacting Fortinet Support.

  • Bob Sauvage

    If the subnet from the client is the same that one from the Enterprise network, what to do ?

  • Henry

    Hello, I have Config WAN-load-blancing, I can’t select wan-load-balancing.

    • Henry

      Hello

      If I want select wan-load-balancing in a policy, what to do ?

      Thanks an Regards.

      • paradoxxxical

        i’m not sure why Henry’s question was ignored, but it’s valid as the SSL-VPN-Internet in step 5, cannot be created with WAN LLB setup. It allows you to select the specific lan for the SSL-VPN-Internal, but not for the Internet. I created a route instead, but experiencing similar issues to Michael P. Gray.

        • Victoria Martin

          For this issue, I would recommend contacting Fortinet Support.

  • Limbad Sagar

    Dear Sir/Madam
    I have Config SSL_VPN using Forticlient, It’s working good and another function is Mac Address bind it’s Possible in our Fortigate Firewall but our issues is Static Ip bind it’s Possible that mean user connect to forticlient with fortigate firewall also assign one Local_Ip (SSL_VPN_Range).So Please Inform me, It’s Possible Forticlient Side Static_Ip bind in Our firewall ?

  • Landy.Wang

    Very Simple To Understand,Thank You Verry Much,I Love Fortigate。

  • Limbad Sagar

    Dear Mam,

    we are using Fortinet 100D and have 2 internet connection and using Port Forwarding our Fortinet Firewall , both are Internet connection port Forwarding but some time internet connection down that time i lost connection. any another idea failover root in port forwarding.

  • Limbad Sagar

    Thank you, Mam
    but mam VLAN Configuration in my Firewall Fortinet 100D that’s its possible in SSL VPN in my Fortinet Firewall 100D.

    • Victoria Martin

      Hello Limbad,

      I’m not quite sure I understand your question. This recipe was written using a FortiGate 100D, so its set up should be similar to yours.

  • Ngô Đức Trọng

    how about enable UTF-8 in web access?

    • Adam Bristow

      Hello,

      There was a way to enable UTF-8, however this has since been replaced with specific language options. This is configured in the CLI. Open the CLI Console and enter the following:

      config vpn ssl web portal
      edit
      set custom-lang ?

      This will show you a list of available character-sets/languages to choose from, inlcuding:

      – GB2312: Simplified Chinese
      – big5: Traditional Chinese
      – en: English (Caribbean)
      – euc-kr: Korean, using the Wxtended Unix Code (EUC)
      – fr: French
      – pg: Portuguese
      – sp: Spanish
      – x-sjis: Japanese (using the Shift Japanese Industrial Standards (SJIS).

      I hope this helps!

      Adam

  • David

    I think we don’t have to enable NAT on the the policy ssl.root to LAN.

    • Adam Bristow

      Hello David,

      Theoretically it is not necessary to enable NAT for this specific policy, however it’s better to enable NAT in order to avoid similar subnets from connecting to one another. This is important if you have specific policies running in your subnet.

      I hope this helps!

      Regards,

      Adam

  • Santosh Sharma

    there should be one option as PDF so that we can download it as PDF

    • Victoria Martin

      Hello Santosh,

      We plan to add PDFs for each recipe soon.

      • Santosh Sharma

        Hi thanks Martin for your revert

        There is no document on inter vdom routing. Please update one document on this also

      • Thanks victoria!