SSL VPN for remote users

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

This example provides remote users with access to the corporate network using SSL VPN and connection to the Internet through the corporate FortiGate unit. During the connecting phase, the FortiGate unit will also verify that the remote user’s antivirus software is installed and current.

 

1. Creating an SSL VPN portal for remote users

Go to VPN > SSL > Portals.

Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes.

Enable Split Tunneling is not enabled, so that all Internet traffic will go through the FortiGate unit and be subject to the corporate security profiles.

If you do Enable Split Tunneling, traffic not intended for the corporate network does not traverse the tunnel, and consequently is not subject to the corporate security profiles.

In this case, you are prompted to choose a Routing Address. The Routing Address is the address that your corporate network is using (in this case, Local LAN).

In short, traffic intended for the Routing Address will not be split from the tunnel.

 

Select Create New in the Predefined Bookmarks area to add a bookmark for a remote desktop link/connection.

Bookmarks are used as links to internal network resources.

You must include a username and password. You will create this user in the next step, so be sure to use the same credentials.

2. Creating a user and a user group

Go to User & Device > User > User Definition.

Add a remote user with the User Creation Wizard (in the example, twhite, with the same credentials used for the predefined bookmark).

Go to User & Device > User > User Groups.

Add the user twhite to a user group for SSL VPN connections.

3. Adding an address for the local network

Go to Policy & Objects > Objects > Addresses.

Add the address for the local network. Set Subnet / IP Range to the local subnet and set Interface to an internal port.

4. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges.

Under Authentication/Portal Mapping, add the SSL VPN user group.

5. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4.

Add a security policy allowing access to the internal network through the ssl.root VPN tunnel interface.

Set Incoming Interface to ssl.root.

Set Source Address to all and select the Source User group you created in step 2.

Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

6. Setting the FortiGate unit to verify users have current AntiVirus software

Go to System > Status > Dashboard.

In the CLI Console widget, enter the commands on the right to enable the host to check for compliant AntiVirus software on the remote user’s computer.

config vpn ssl web portal
  edit full-access
    set host-check av
  end
end

7. Results

Log into the portal using the credentials you created in step 2.

The FortiGate unit performs the host check.

After the check is complete, the portal appears.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users. The Web Application description indicates that the user is using web mode.

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

In the Tunnel Mode widget, select Connect to enable the tunnel.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.

The tunnel description indicates that the user is using tunnel mode.

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

Go to Log & Report > Traffic Log > Forward Traffic.

Internet access occurs simultaneously through the FortiGate unit.

Select an entry to view more information.

For further reading, check out Basic SSL VPN configuration in the FortiOS 5.2 Handbook.

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
You may need to install the FortiClient application using the available download link.