FortiOS™ Handbook - SSL VPN

VERSION 5.2.2

FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com

January-05-15
FortiOS™ Handbook - SSL VPN
01-520-112804-20140807

TABLE OF CONTENTS
Change Log
Introduction
Introduction to SSL VPN
SSL VPN modes of operation
Web-only mode
Tunnel mode
Port forwarding mode
Application support
Antivirus and firewall host compatibility
Traveling and security
Host check
Cache cleaning
SSL VPN and IPv6

Basic configuration
User accounts and groups
Authentication
MAC host check
IP addresses for users
Authentication of remote users
Configuring SSL VPN web portals
SSL connection configuration
Portal configuration
Personal bookmarks
SSL VPN Realms
Tunnel mode and split tunneling
The Connection Tool widget
Configuring security policies
Firewall addresses
Create an SSL VPN security policy
Create a tunnel mode security policy
Split tunnel Internet browsing policy
Enabling a connection to an IPsec VPN
Configuring encryption key algorithms
Additional configuration options

6
7
8
9
9
10
11
11
12
13
13
13
13

14
14
15
15
15
16
18
19
20
23
23
24
24
25
25
25
27
28
29
31
31

Routing in tunnel mode Changing the port number for web portal connections SSL offloading Host check Replacing the host check error message Creating a custom host check list Windows OS check Configuring cache cleaning Configuring virtual desktop Configuring client OS Check Adding WINS and DNS services for clients Setting the idle timeout setting SSL VPN logs Monitoring active SSL VPN sessions Troubleshooting The SSL VPN client FortiClient Tunnel mode client configuration The SSL VPN web portal Connecting to the FortiGate unit Web portal overview Portal configuration Portal settings Portal widgets Applications available in the web portal Using the My Bookmarks widget Adding bookmarks Using the Connection Tool Tunnel-mode features Using the SSL VPN virtual desktop Using FortiClient Setup examples Secure Internet browsing Creating an SSL VPN IP pool and SSL VPN web portal Creating the SSL VPN user and user group Creating a static route for the remote SSL VPN user Creating security policies Configuring authentication rules Results Split Tunnel Creating a firewall address for the head office server Creating the SSL VPN user and user group 32 32 33 33 33 34 34 35 36 37 37 38 38 39 39 41 41 41 43 43 44 45 47 48 49 50 50 51 56 57 57 58 58 58 59 59 59 60 60 60 61 62 .

Results Multiple user groups with different access permissions General configuration steps Creating the firewall addresses Creating the tunnel client range addresses Creating the web portals Creating the user accounts and user groups Creating the security policies Configuring authentication rules Create the static route to tunnel mode clients 63 63 64 64 65 65 66 66 67 68 .

2013-09-16 Added RFCs 2246. 2013-10-30 Minor edit .setting web portal tunnel-mode IP pools. 6101. 2014-06-03 FortiOS 5.0 release. 2014-08-07 Updates to basic SSL VPN policy configuration. Removed references to set gateway <gateway_IP> for tunnel-mode configurations.Change Log Date Change Description 2015-01-05 Removed references to set action ssl-vpn. and 6176 for SSL and TLS support. . Added information about Host check for Windows firewall.2 major release. 2012-11-02 New FortiOS 5. 4346. 5246.

with explanations of how to use and configure the web portal features. and describes the SSL VPN OS Patch Check feature that allows a client with a specific OS patch to access SSL VPN services. Basic configuration explains how to configure the FortiGate unit and the web portal. how to configure the SSL encryption key algorithm. The following chapters are included in this document: Introduction to SSL VPN provides useful general information about VPN and SSL. how to install it. Setup examples explores several configuration scenarios with step-by-step instructions. The SSL VPN client provides an overview of the FortiClient software required for tunnel mode.Introduction This document provides a general introduction to SSL VPN technology. 7 SSL VPN for FortiOS 5. and how the FortiGate unit is configured to implement the features. While the information provided is enough to set up the described SSL VPN configurations. . how the FortiGate unit implements them. Along with these configuration details. these scenarios are not the only possible SSL VPN setups. and gives guidance on how to choose between SSL and IPsec. this chapter also explains how to grant unique access permissions. and the configuration information required for remote users to connect to the internal network.2 Fortinet Technologies Inc. explains the features available with SSL VPN and gives guidelines to decide what features you need to use. The SSL VPN web portal provides an overview of the SSL VPN web portal. where to obtain the software.

7 (Presentation and Application layers). SSL VPNs establish connectivity using SSL. convenient services including knowledge bases and customer portals.1 RFC 4346 TLS 1. and SSL VPNs communicate at the highest levels in the OSI model. . A VPN is a secure logical network created from physically separate networks. Any data sent back is first encrypted.Introduction to SSL VPN As organizations have grown and become more complex. and is decrypted when it reaches the client. access to the Internet is readily obtainable without any special arrangements or long wait times. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way. As a result of the growing need for providing remote/mobile clients with easy. you use the relatively inexpensive. Information is encapsulated at Levels 6 .0 RFC 2246 TLS 1. When the information reaches its destination. VPNs use encryption and other security methods to ensure that only authorized users can access the network. high-bandwidth Internet. which functions at Levels 4 . In most areas. The advantages of a VPN over an actual physical private network are two-fold. VPNs also ensure that the data transmitted between computers cannot be intercepted by unauthorized users.0 RFC 6176 SSL 3. ensuring that all data passed between the web server and the browser remains private and secure. businesses are expected to provide clients with efficient.2 RFC 5246 SSL VPN for FortiOS 5.2 Fortinet Technologies Inc. the browser encrypts all the information before it leaves the computer. the data is said to be sent through a “VPN tunnel”. In addition. SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. Perhaps more important though is the universal availability of the Internet. the concept of a Virtual Private Network (VPN) was developed. cost-effective and secure access to a multitude of resources. Once the successful connection is established. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. SSL establishes an encrypted link. Rather than utilizing expensive leased lines or other infrastructure.0 RFC 6101 TLS 1.5 (Transport and Session layers). FortiOS supports the SSL and TLS versions defined below: Table 1: SSL and TLS version support table 8 Version RFC SSL 2. A VPN tunnel is a non-application oriented tunnel that allows the users and networks to exchange a wide range of traffic regardless of application or protocol. it is decrypted using a secret (private) key. When data is encoded and transmitted over the Internet. secure remote access to network resources has become critical for day-to-day operations. Employees traveling across the country or around the world require timely and comprehensive access to network resources.

Web-only mode offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java runtime environment. 9. In web-only mode. There are predefined web portals and the administrator can create additional portals. The user group settings specify whether the connection will operate in web-only mode or tunnel mode. Table 2: SSL VPN Web-only Mode. the FortiGate unit authenticates the user based on username. These configuration settings determine which server applications can be accessed. The controls within each widget depend on its function. 10 and 11 Mozilla Firefox version 26 Microsoft Windows 7 64-bit SP1 Microsoft Internet Explorer versions 8. the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. Widget windows can be moved or minimized. 9 . Configuring the FortiGate unit involves selecting the appropriate web portal configuration in the user group settings. VNC. and a web portal. After successful authentication. and authentication domain. a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. password. RDP. The following table lists the operating systems and web browsers supported by SSL VPN web-only mode. supported operating systems and web browsers Operating System Web Browser Microsoft Windows 7 32-bit SP1 Microsoft Internet Explorer versions 8. Web-only mode Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. 9. The feature comprises of an SSL daemon running on the FortiGate unit. After the connection has been established. which provides users with access to network services and resources including HTTP/HTTPS. Support for SSL VPN web-only mode is built into FortiOS. When the FortiGate unit provides services in web-only mode. SSL encryption is used to ensure traffic confidentiality. and SSH.2 Fortinet Technologies Inc.SSL VPN modes of operation Introduction to SSL VPN SSL VPN modes of operation When a remote client connects to the FortiGate unit. 10 and 11 Mozilla Firefox version 26 SSL VPN for FortiOS 5. FTP. the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.or 2-column page layout and portal functionality is provided through small applets called widgets. A successful login determines the access rights of remote users according to user group. SMB/CIFS. FortiGate SSL VPN web portals have a 1. the FortiGate unit provides access to selected services and network resources through a web portal. Telnet.

8 (32-bit & 64-bit). Mac OS. and Internet cafés.7 in . and 10. 7 (32-bit & 64-bit). The client uses the assigned IP address as its source address for the duration of the connection. Mac OS X. Configuring the FortiGate unit to establish a tunnel with remote clients involves enabling the feature through SSL VPN configuration settings and selecting the appropriate web portal configuration for tunnel-mode access in the user group settings. If the applications on the client computers used by your user community vary greatly.0. Table 3: SSL VPN Tunnel client standalone installer (build 2300) supported operating systems Operating System Release Microsoft Windows 8. After successful authentication. The FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. hotel business centers. the FortiGate unit redirects the web browser to the web portal home page dictated by the user group authentication settings.7 Lion Apple Safari version 7 Other operating systems and web browsers may function correctly. 10. Internet traffic is sent through the usual unencrypted route. and XP SP3 in .Introduction to SSL VPN SSL VPN modes of operation Operating System Web Browser Linux CentOS version 5. Tunnel mode Tunnel mode offers remote users the freedom to connect to the internal network using the traditional means of webbased access from laptop computers.dmg format Virtual Desktop In . but are not supported by Fortinet. or Linux.9. and Linux (see below).6 and Ubuntu version 12.8. 10 SSL VPN for FortiOS 5. The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the web browser and the FortiGate unit. they will be prompted to download the SSL VPN client (an ActiveX or Java plugin) and install it using controls provided through the web portal.tar. If the user does not have the SSL VPN client installed. Chrome. the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. SSL VPN tunnel mode can also be initiated from a standalone application on Windows.msi formats Linux CentOS and Ubuntu in .6 Mac OS X v10.1 (32-bit & 64-bit).2 Fortinet Technologies Inc.4 Mozilla Firefox version 5.jar format for Microsoft Windows 7 SP1 (32-bit) When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client. which ensures that only the traffic for the private network is sent to the SSL VPN gateway. you can deploy a dedicated SSL VPN client to any remote client through its web browser. In tunnel mode. The security policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.gz format Mac OS X v10. remote clients connect to the FortiGate unit and the web portal login page using Microsoft Internet Explorer. . Another option is split tunneling. as well as from airport kiosks.exe and . the user can access the network behind the FortiGate unit. After the tunnel has been established. Firefox. This conserves bandwidth and alleviates bottlenecks.

The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. see the application documentation. The applet provides the up-to-date status information such as addressing and bytes sent and received. which is downloaded and runs on the user’s computer. Port forwarding mode While tunnel mode provides a Layer 3 tunnel that users can run any application over. yet the simple web mode does not provide enough flexibility for application support (for example. you must disable UAC (User Account Control) before installing the SSL VPN tunnel client. On the user end. or proxy mode. For information about client operating system requirements. see Port forwarding on page 24. If you are using Windows Vista. which then forwards the traffic to the application server. Application support With Citrix application servers. you need to launch IE7 by using 'Run as administrator' (right-click the IE7 icon and select 'Run as administrator'). The port forward module is implemented with a Java applet. SSL VPN port forwarding listens on local ports on the user’s computer. To install SSL VPN client ActiveX. IE7 in Windows Vista runs in Protected Mode by default. For information on configuring a port forward tunnel. see the Release Notes for your FortiGate firmware. In some situations. and have the required administrative rights to do so. see Tunnel mode and split tunneling on page 24. The bookmark defines the server address and port as well as which port to listen to on the user’s computer. The user must configure the application on the PC to point to the local proxy instead of the application server. and selects a port forward bookmark configured for a specific application. this may not be desirable. if you wish to use an email client that communicates with a POP3 server). the user needs to install the tunnel client. When it receives data from a client application. the server downloads an ICA configuration file to the user’s PC.2 Fortinet Technologies Inc. the port forward module encrypts and sends the data to the FortiGate unit. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The port forward mode. For information on this configuration change.Port forwarding mode Introduction to SSL VPN The user account used to install the SSL VPN client on the remote computer must have administrator privileges. provides this middle ground between web mode and tunnel mode. SSL VPN for FortiOS 5. The client application uses this information to connect to the Citrix server. 11 . the user logs into the FortiGate SSL VPN portal. For information on configuring tunnel mode. It will not support client/server applications using dynamic ports or traffic over UDP. When configuring the port forwarding module. This mode only supports client/server applications that are using a static TCP port. a selection is available for Citrix servers.

Antivirus and firewall host compatibility The following tables list the antivirus and firewall client software packages that are supported in FortiOS.2 Fortinet Technologies Inc.0 • • NortonTM Internet Security 2011 • • Panda Internet Security 2011 • • Sophos Security Suite • • Trend Micro Titanium Internet Security • • ZoneAlarm Security Suite • • Symantec Endpoint Protection Small Business Edition 12.0 • • CA Internet Security 2011 AVG Internet Security 2011 12 SSL VPN for FortiOS 5.Introduction to SSL VPN Port forwarding mode For Windows Remote Desktop Connections. .1 • • Trend Micro Internet Security Pro • • F-Secure Internet Security 2009 • • Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software Product supported Antivirus Firewall • • F-Secure Internet Security 2011 • • Kaspersky Internet Security 2011 • • McAfee Internet Security 2011 • • Norton 360TM Version 4. the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated. when selecting the RDP option. Table 4: Supported Windows XP antivirus and firewall software Product supported Antivirus Firewall Symantec Endpoint Protection V11 • • Kaspersky Antivirus 2009 • McAfee Security Center v8.

and is available for all the java applets (Telnet. Host check You can enable a host integrity checker to scan the remote client. and not potentially compromising the corporate network. all cache entries. 13 .Traveling and security Introduction to SSL VPN Traveling and security Because SSL VPN provides a means for “on-the-go” users to dial in to the network while away from the office. browser history. and any temporary data generated during the session are removed from the remote computer. replace IPv4 with IPv6 to achieve the same desired results. and so on). When setting up the portal. For more information. or held in memory due to running processes) are examined and uploaded to the FortiGate unit. see Configuring cache cleaning on page 35. VNC. The integrity checker probes the remote client computer to verify that it is safe before access is granted. but for IPv6 addresses and configurations. SSL VPN and IPv6 FortiOS supports SSL VPN with IPv6 addressing. the user is not allowed to access the SSL-VPN portal.2 Fortinet Technologies Inc. in specific files. RDP. SSL VPN for FortiOS 5. For example. Security attributes recorded on the client computer (for example. IPv6 configurations for security policies and addressing include: l l l l l Policy matching for IPv6 addresses Support for DNS resolving in SSL VPN Support IPv6 for ping FTP applications SMB In essentially any of the following instructions. a host check for antivirus software. you need to ensure that wherever and however they choose to dial in is secure. Cache cleaning You can enable a cache cleaner to remove any sensitive data that would otherwise remain on the remote computer after the session ends. in the Windows registry. see Host check on page 33. and a cache cleaner. cookies. encrypted information related to user authentication. you can include two options to ensure corporate data is safe. For more information. If the client’s browser cannot install and run the cache cleaner.

see Setup examples on page 58. go to User & Device > User > User Groups and select Create New. add routing to ensure that client tunnel-mode packets reach the SSL VPN interface. while the others are optional. The key steps are: l l l l l Create user accounts and user groups for the remote clients.Basic configuration Configuring SSL VPN involves a number of configurations within FortiOS that you need to complete to make it all come together. This chapter describes the components required. . l In the CLI. To create a user account: l In the web-based manager. go to User & Device > User > User Definition. l In the CLI. (User accounts and groups on page 14) Create a web portal to define user access to network resources. There are three or four key steps to configuring an SSL VPN tunnel. (Configuring security policies on page 25) For tunnel-mode operation.2 Fortinet Technologies Inc. and where to locate the options in FortiOS. and select Create New. User names can be up to 64 characters long. SSL VPN for FortiOS 5. use the commands in config user local. and how and where to configure them to set up the FortiGate unit as an SSL VPN server. All users accessing the SSL tunnel must be in a firewall user group. to show you the procedures needed. or different schedules. or multiple policies to handle differences between the groups such as access to different services. This chapter outlines these key steps as well as additional configurations for tighter security and monitoring. To create user groups: 14 l In the web-based manager. You may already have users defined for other authentication-based security policies. The configurations and steps are high level. The user group is associated with the web portal that the user sees after logging in. The first three in the points below are mandatory. (Configuring SSL VPN web portals on page 18) Configure the security policies. use the commands in config user group. (SSL VPN logs on page 38) User accounts and groups The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. (Routing in tunnel mode on page 32) Setup logging of SSL VPN activities. For real-world examples. You can use one policy for multiple groups.

see the Authentication Guide. you can use a plain text password on the local FortiGate unit.2 Fortinet Technologies Inc. you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. FortiOS supports LDAP password renewal notification and updates through SSL VPN. To authenticate users. LDAP. Configuration is enabled using the CLI commands: config user ldap edit <username>        set password-expiry-warning enable        set password-renewal enable end For more information. LDAP or TACACS+ server. For information about how to create RADIUS. MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host check When a remote client attempts to log in to the portal. MAC host checking is configured in the CLI using the folowing commands: conf vpn ssl web portal edit portal set mac-addr-check enable set mac-addr-action allow config mac-addr-check-rule edit "rule1" set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d set mac-addr-mask 48 end end IP addresses for users After the FortiGate unit authenticates a request for a tunnel-mode connection.User accounts and groups Basic configuration Authentication Remote users must be authenticated before they can request services and/or access network resources through the web portal. forward authentication requests to an external RADIUS. This can ensure better security should a password be compromised. The address is assigned from an IP Pool. or utilize PKI certificates. 15 . see the Authentication Guide. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP. SSL VPN for FortiOS 5. the FortiGate unit assigns the SSL VPN client an IP address for the session. which is a firewall address defining an IP address range. TACACS+ or PKI user accounts and certificates.

This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.[80-100].0/24).254.254. Both the administrator and the end user can configure bookmarks.254. This can be as simple as assigning users with their own passwords. you could enter config firewall address edit SSL_tunnel_users set type iprange set end-ip 10.100 set start-ip 10. . for example 10.80 end end Authentication of remote users When remote users connect to the SSL VPN tunnel.100. As with the idle timeout. including SSO bookmarks. The web portal can include bookmarks to connect to internal network resources.web-based manager: 1.254. 4. When this time expires. see Adding bookmarks on page 50. SSL_VPN_tunnel_range.CLI: If your SSL VPN tunnel range is for example 10.254. To set tunnel-mode client IP address range . In the Subnet/IP Range field. Do not assign to clients any IP addresses that are already in use on the private network. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. In Interface.2 Fortinet Technologies Inc. a shorter period of time is more secure. the system forces the remote client to authenticate again. 2. for example.Basic configuration User accounts and groups Take care to prevent overlapping IP addresses. For example. Setting the client authentication timeout The client authentication timeout controls how long an authenticated user will remain connected.10.254. 3. FortiOS provides a number of options for authentication as well as security option for those connected users. The default value is 28800 seconds (8 hours). consider assigning IP addresses from a network that is not commonly used (for example. connecting to an LDAP server or using more secure options. Go to Policy & Objects > Objects > Addresses and select Create New. 5. Select a Type of IP Range. select Any. Enter an Name. they must perform authentication before being able to use the internal network resources.80 . As a precaution. To add bookmarks as a web portal user.254. 6.254.254.254. To set tunnel-mode client IP address range . You can only modify this timeout value in the CLI.254.254. enter the starting and ending IP addresses that you want to assign to SSL VPN clients. to change the authentication timeout to 18 000 seconds. 10. enter the following commands in the CLI: config vpn ssl settings set auth-timeout 18000 end 16 SSL VPN for FortiOS 5. Select OK.

CLI: config vpn ssl settings set reqclientcert enable end If your SSL VPN clients require strong authentication. Go to VPN > SSL > Settings. once logged into the portal.User accounts and groups Basic configuration You can also set the idle timeout for the client. 17 . For information about obtaining and installing certificates. the FortiGate unit must offer a CA certificate that the client browser has installed. SSL VPN for FortiOS 5. You can select the Require Client Certificate option so that clients must authenticate using certificates. select a portal.509 security certificates (version 1 or 3). It is disabled by default. For information see SSL connection configuration on page 19.web-based manager: 1. Select Apply. To require client authentication by security certificates . In the FortiGate unit SSL VPN settings. When the remote client initiates a connection. That is. Select Require Client Certificate. the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. To allow one-time login per user . and the client can require the FortiGate unit to authenticate using a certificate. 3.2 Fortinet Technologies Inc. the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process. The FortiGate unit can require clients to authenticate using a certificate.web-based manager: Go to VPN > SSL > Portals. they cannot go to another system and log in with the same credentials again. see the Authentication Guide. to define how long the user does not access the remote resources before they are logged out. 2. and enable Limit Users to One SSL-VPN Connection at a Time. and the FortiGate unit must have the corresponding CA certificate installed. By default. To allow one-time login per user . To require client authentication by security certificates .CLI: config vpn ssl web portal edit <portal_name> set limit-user-logins enable end Strong authentication with security certificates The FortiGate unit supports strong (two-factor) authentication through X. you can select which certificate the FortiGate offers to authenticate itself. The client browser must have a local certificate installed. Allow one-time login per user You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login.

Basic configuration

Configuring SSL VPN web portals

To enable FortiGate unit authentication by certificate - web-based manager:
1. Go to VPN > SSL > Settings.
2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN
clients.
3. Select Apply.

To enable FortiGate unit authentication by certificate - CLI:
For example, to use the example_cert certificate
config vpn ssl settings
set servercert example_cert
end

FortiOS will check the server certificate to verify that the certificate is valid. Only valid server certificates should be used.

NSA Suite B cryptography support
FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA)
developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information
at an interoperable level.
FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To
generate ECDSA certificates, use the following command in the CLI:
exec vpn certificate local generate ec

Configuring SSL VPN web portals
The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web
browser. FortiGate administrators can configure login privileges for system users as well as the network resources that
are available to the users.
FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:
config user ldap
edit <username>
       set password-expiry-warning enable
       set password-renewal enable
end
For more information, see the Authentication Guide.

18

SSL VPN for FortiOS 5.2
Fortinet Technologies Inc.

Configuring SSL VPN web portals

Basic configuration

This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and
certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the
remote user sees with a successful connection. The portal view defines the resources available to the remote users
and the functionality they have on the network.

SSL connection configuration
To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL > Settings.
Listen on Interface(s)

Define the interface which the FortiGate will use to listen for SSL VPN tunnel
requests. This is generally your external interface.

Listen on Port

Enter the port number for HTTPS access.

Restrict Access

Restrict accessibility to either Allow access from any host or to Limit
access to specific hosts as desired. If selecting the latter, you must specify
the hosts.

Server Certificate

Select the signed server certificate to use for authentication. If you leave the
default setting (Self-Signed), the FortiGate unit offers its factory installed certificate from Fortinet to remote clients when they connect.

Require Client
Certificate

Select to use group certificates for authenticating remote clients. When the
remote client initiates a connection, the FortiGate unit prompts the client for its
client-side certificate as part of the authentication process.
For information on using PKI to provide client certificate authentication, see the
Authentication Guide.

Idle Logout

Type the period of time (in seconds) that the connection can remain inactive
before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies
to the SSL VPN session. The interface does not time out when web application
sessions or tunnels are up.

Address Range

Select Specify custom IP ranges to select the range or subnet firewall
addresses that represent IP address ranges reserved for tunnel-mode SSL VPN
clients.

DNS Server

Enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Specify WINS
Servers

Enable to access options for entering up to two WINS servers (IPv4 or IPv6) to
be provided for the use of clients.

Allow Endpoint Registration

Select so that FortiClient registers with the FortiGate unit when connecting. If
you configured a registration key by going to System > Config > Advanced,
the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

SSL VPN for FortiOS 5.2
Fortinet Technologies Inc.

19

Basic configuration

Configuring SSL VPN web portals

Portal configuration
The portal configuration determines what the remote user sees when they log in to the portal. Both the system
administrator and the user have the ability to customize the SSL VPN portal.
To view the portals settings page, go to VPN > SSL > Portals.
There are three pre-defined default portal configurations available:
l

full-access

l

tunnel-access

l

web-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of
the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

20

Name

The name for the portal.

Enable Tunnel Mode

If your web portal provides tunnel mode access, you need to configure the Tunnel Mode widget. These settings determine how tunnel mode clients are assigned IPv4 addresses.

Enable Split Tunneling

Select so that the VPN carries only the traffic for the networks
behind the FortiGate unit. The user’s other traffic follows its normal
route.

Source IP Pools

Select an IPv4 Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you
do not create your own.

Enable IPv6 Tunnel Mode

If your web portal provides tunnel mode access, you need to configure the Tunnel Mode widget. These settings determine how tunnel mode clients are assigned IPv6 addresses.

Enable IPv6 Split Tunneling

Select so that the VPN carries only the traffic for the networks
behind the FortiGate unit. The user’s other traffic follows its normal
route. This applies only to IPv6 tunnels.

Source IPv6 Pools

Select an IPv6 Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you
do not create your own.

SSL VPN for FortiOS 5.2
Fortinet Technologies Inc.

SSL VPN for FortiOS 5. and is not enabled by default. Include Connection Tool Select to display the Connection Tool widget on the portal page. when the FortiClient application is launched. Portal Message This is a text header that appears on the top of the web portal.When enabled. Enable Web Mode Select to enable web mode access. Include Login History Select to include user login history on the web portal.2 Fortinet Technologies Inc. FortiClient will automatically attempt to connect to the VPN tunnel. during periods of inactivity. Theme A color styling specifically for the web portal. they are prompted to download the FortiClient application. The remote user can accept or reject the notification. a check box for the corresponding option appears on the VPN login screen in FortiClient. Include Status Information Select to display the Status Information widget on the portal page. if the user selects this option.When enabled.When enabled. You select the type of resource and specify the URL or IP address of the host computer. 21 . When enabled. Page Layout Select one column or two column layouts for the widgets that appear on the web portal page. and the inbound and outbound traffic statistics. they are redirected to the FortiClient web site. If the user accepts. if the user selects this option. for example after a reboot or system startup. Always Up (Keep Alive) . Include FortiClient Download Select to include the FortiClient Download option in the web portal. The Status Information widget displays the login name of the user.Configuring SSL VPN web portals Client Options Basic configuration These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. the amount of time the user has been logged in. When not selected. Prompt Mobile Users to Download FortiClient Application If a remote user is using a web browser to connects to the SSL VPN in web mode. Use the Connection Tool widget to connect to a internal network resource without adding a bookmark to the bookmark list. This is enabled by default. the FortiClient connection will not shut down. Auto Connect . if the user selects this option. FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes. their password is stored on the user’s computer and will automatically populate each time they connect to the VPN. Save Password .

VNC. If your network configuration does not contain a default SSL VPN portal. On the VPN > SSL > Portals page. and RDP require a browser plugin. a pop-up window appears with the web page. Limite Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login.web-based manager: 1.2 Fortinet Technologies Inc. or group. once logged into the portal. you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL > Portals. Telnet. the website credentials must be the same as the user’s SSL VPN credentials. To add a bookmark . you will be prompted to add a category. This option is disabled by default. select Create from the drop-down list. URL Enter the IP address source. they cannot go to another system and log in with the same credentials again. When the administrator configures bookmarks. Description Enter a brief description of the link. To enable a default portal .CLI: config vpn ssl settings set default-portal <full-access | tunnel-access |     web-access> end Adding bookmarks A web bookmark can include login credentials to automatically log the SSL VPN user into the website.Basic configuration Configuring SSL VPN web portals Enable User Bookmarks Select to include bookmarks on the web portal. Telnet. . to include the bookmark. VNC. Select Create New and enter the following information: 22 Category Select a category. FTP and Samba replace the bookmarks page with an HTML file-browser. 2. Type Select the type of link from the drop-down list. FTP and Samba replace the bookmarks page with an HTML filebrowser. Otherwise. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list. ensure Enable User Bookmarks is enabled. If this is the first bookmark added. Users configuring their own bookmarks can specify alternative credentials for the website. That is. and RDP require a browser plugin. Name Enter a name for the bookmark. SSL VPN for FortiOS 5.

The first option in the custom login page is to enter the path of the custom URL. On low-end FortiGate units. remove unwanted bookmarks that do not meet with corporate policy. be sure to use the entire URL. The actual path for the custom login page appears beside the URL path field. SSL VPN Realms You can go to VPN > SSL > Realms and create custom login pages for your SSL VPN users.1.10. rather than just the IP address. this feature is enabled by default. see Additional configuration options on page 31. For more configuration options. you can restore the text to the original version. Go to System > Admin > Settings. To view and maintain remote client bookmarks. copy the default login page text to a separate text file for safe-keeping. In order to create a custom login page using the web-based manager. Personal bookmarks The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. When including a link using SSO. it must be enabled. For example. 2.Configuring SSL VPN web portals Single Sign-On Basic configuration Enable if you wish to use Single Sign-On (SSO) for any links that require authentication. 4. 3. 3. You can use HTML code to customize the appearance of the login page. Afterward. Configure a custom SSL VPN login by going to VPN > SSL > Realms and selecting Create New. Select OK. 3. 23 . SSL VPN for FortiOS 5. Enable SSL-VPN Personal Bookmark Management.web-based manager: 1. Select Apply.0/login. this feature must be enabled using Feature Select. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups. To configure SSL VPN Realms . Users access different portals depending on the URL they enter. Before you begin. go to VPN > SSL > Personal Bookmarks. You can also limit the number of users that can access the custom login at any given time. This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. http://10. 2.2 Fortinet Technologies Inc. if needed. This enables the administrator to monitor and. On mid-range and high-end FortiGate units. To enable personal bookmarks: 1. if needed.

2 Fortinet Technologies Inc. Ensure that the desired application or protocol (to which you want remote users to connect) is enabled in the Applications list of the General settings. To configure the application. Do not include “http://”. create a bookmark with the Type field set to Port Forward. No default. 0 means unlimited. Tunnel mode and split tunneling If you want your web portal to have tunnel mode access. The Connection Tool widget The Connection Tool widget enables a user to connect to a resource when it isn’t a bookmark. click Create New and select the user group(s) and the associated Realm. select Tunnel Mode when creating a new portal. 0 virtual-host <hostname_ str> Enter the virtual host name for this realm. After adding the custom login. by selecting the Settings button in the portal configuration window. and requiring the installation of a tunnel mode client. 24 SSL VPN for FortiOS 5. Do this by going to VPN > SSL > Settings and adding a rule to the Authentication/Portal Mapping section.Basic configuration Configuring SSL VPN web portals 5. Port forwarding Port forwarding provides a method of connecting to application servers without configuring a tunnel mode connection. login-page <content_str> Enter replacement HTML for SSL-VPN login page. Under Authentication/Portal Mapping. Optional.CLI: config vpn ssl web realm edit <url-path> set login-page <content_str> set max-concurrent-user <int> set virtual-host <hostname_str> end end Where the following variables are set: Variable Description Default edit <url-path> Enter the URL path to access the SSL-VPN login page. Set up the portal as described at Configuring SSL VPN web portals on page 18. No default. No default. Ensure that Port Forward is enabled in the Applications list. max-concurrent-user <int> Enter the maximum number of concurrent users allowed. The user’s other traffic follows its normal route. you must associate it with the users that will access the custom login. Range 0-65 535. To configure SSL VPN Realms . Enable Split Tunneling so that the VPN carries only the traffic for the networks behind the FortiGate unit. . Maximum length 255 characters. 6.

users can access protected resources or download the SSL VPN tunnel client application. you need to create firewall addresses for all of the destination networks and servers to which the SSL VPN client will be able to connect. For tunnel mode. if clients will be connecting from one or two known locations you should configure firewall addresses for those locations. 25 . Both the address and the netmask are 0. The “all” address is used because VPN clients will be connecting from various addresses. This section contains the procedures needed to configure security policies for web-only mode operation and tunnelmode operation.Configuring security policies Basic configuration To configure the Connection Tool widget . This is an identity-based policy that authenticates users and enables them to access the SSL VPN web portal.0. for example. instead of using the “all” address. If you will provide tunnel mode access. you will already have defined firewall addresses for the IP address ranges that the FortiGate unit will assign to SSL VPN clients. you need one SSL VPN security policy to authenticate users and provide access to the protected networks. For improved security. To create a firewall address. you need to define the firewall addresses you will use in those policies. you would enter: config vpn ssl web portal edit full-access config widget edit 3 set allow-apps ftp rdp smb ssh vnc web end end end Configuring security policies You will need at least one SSL VPN security policy. not just one or two known networks. Firewall addresses Before you can create security policies. These procedures assume that you have already completed the procedures outlined in User accounts and groups on page 14. and select Create New.0. From the web portal. The source address for your SSL VPN security policies will be the predefined “all” address. you will need a second security policy—an ACCEPT tunnel mode policy to permit traffic to flow between the SSL VPN tunnel and the protected networks. in the web-based manager.0. Create an SSL VPN security policy At minimum.CLI: To change. go to Policy & Objects > Objects > Addresses.2 Fortinet Technologies Inc. The SSL VPN user groups named in the policy determine who can authenticate and which web portal they will use. For both web-only and tunnel mode operation. You will need additional security policies only if you have multiple web portals that provide access to SSL VPN for FortiOS 5. the full-access portal Connection Tool widget to allow all application types except Telnet.

The SSL VPN user groups that can use the security policy. In the dialog box. Select the ALL service to allow the user group access to all services. To create an SSL-VPN security policy . and the name of that user group must be present in the Allowed field. Destination Address Select the firewall address you created that represents the networks and servers to which the SSL VPN clients will connect. Do not use ALL as the destination address. Enter the following information: Incoming Interface Select the virtual SSL VPN interface. 2. or different schedules. from Destination Address. Source User(s) Select to allow access only to holders of a (shared) group certificate. Your identity-based policies are listed in the security policy table. The SSL VPN security policy specifies: l l l l The incoming interface that corresponds to the ssl. If you do. move the firewall addresses or address groups from the Available Addresses section to the Members section. Service Select services in the left list and use the right arrow button to move them to the right list. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone. or multiple policies to handle differences between the groups such as access to different services. Source Address Select all. you can drag and drop policies in the policy list to rearrange their order.root interface. You can also use the icons to edit or delete policies. Action Select Accept. Furthermore. then select OK. 26 SSL VPN for FortiOS 5. Outgoing Interface Select the FortiGate network interface that connects to the protected network. The times (schedule) and types of services that users can access. such as ssl. See Strong authentication with security certificates on page 17. Go to Policy & Objects > Policy > IPv4 and select Create New. The holders of the group certificate must be members of an SSL VPN user group.2 Fortinet Technologies Inc. you can change the order of the policies in the table to ensure the best policy will be matched first. The UTM features and logging that are applied to the connection. You can use one policy for multiple groups. The FortiGate unit searches the table from the top down to find a policy to match the client’s user group.web-based manager: 1.root.Basic configuration Configuring security policies different resources. you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling. . Using the move icon in each row. select the plus symbol.

root. Service Select services in the left list and use the right arrow button to move them to the right list.root(sslvpn tunnel interface) set dstintf port2 set srcaddr all set dstaddr OfficeLAN set nat enable end Create a tunnel mode security policy If your SSL VPN will provide tunnel mode operation. config firewall policy edit <id> set srcintf ssl. Outgoing Interface Select the FortiGate network interface that connects to the protected network. and the name of that user group must be present in the Allowed field.root. Go to Policy & Objects > Policy > IPv4 and select Create New. See Strong authentication with security certificates on page 17. If VDOMs are not enabled on your FortiGate unit. the SSL VPN virtual interface is also named ssl.2 Fortinet Technologies Inc. Action Select Accept. To configure the tunnel mode security policy . Enable NAT Select Enable NAT. It is named ssl. you need to create a security policy to enable traffic to pass between the SSL VPN virtual interface and the protected networks.<vdom_name>. Enter the following information and select OK.web-based manager: 1. such as SSL_VPN_tunnel_users. 2. In the root VDOM. To select multiple firewall addresses or address groups. it is named ssl. This is in addition to the SSL VPN security policy that you created in the preceding section. for example. The SSL VPN virtual interface is the FortiGate unit end of the SSL tunnel that connects to the remote client. The holders of the group certificate must be members of an SSL VPN user group. select the plus sign next to the drop-down list. (Optional) SSL VPN for FortiOS 5. Destination Address Select the firewall address that represents the networks and servers to which the SSL VPN clients will connect. such as ssl.CLI: Create the SSL VPN security policy by entering the following CLI commands. Incoming Interface Select the virtual SSL VPN interface. Select the ALL service to allow the user group access to all services. Source User(s) Select to allow access only to holders of a (shared) group certificate.Configuring security policies Basic configuration To create an SSL VPN security policy . Source Address Select the firewall address you created that represents the IP address range assigned to SSL VPN clients.root. 27 .

254.Basic configuration Configuring security policies To configure the tunnel mode security policy . For low-end FortiGate units.11. go to System > Network > Routing and select Create New. Select the SSL VPN virtual interface for the Device.CLI: If you assigned 10. Clients will receive no response if they attempt to access Internet resources. .root set dst 10.11.root(sslvpn tunnel interface) set dstintf <dst_interface_name> set srcaddr <tunnel_ip_address> set dstaddr <protected_network_address_name> set schedule always set service ALL set nat enable end This policy enables the SSL VPN client to initiate communication with hosts on the protected network. Go to Router > Static > Static Routes and select Create New.2 Fortinet Technologies Inc.0/24 as the tunnel IP range. You must also add a static route for tunnel mode operation.web-based manager: 1. If you want to enable hosts on the protected network to initiate communication with the SSL VPN client. all of the SSL VPN client’s requests are sent through the SSL VPN tunnel. 28 SSL VPN for FortiOS 5. To add the tunnel mode route . 2. Select OK. 4. you must add a static route so that replies from the protected network can reach the remote SSL VPN client. To add the tunnel mode route .CLI: config firewall policy edit <id> set srcintf ssl. 3. you would enter: config router static edit <id> set device ssl. But the tunnel mode security policy provides access only to the protected networks behind the FortiGate unit. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal. Routing for tunnel mode If your SSL VPN operates in tunnel mode. you should create another Accept policy like the preceding one but with the source and destination settings reversed.254. You can enable clients to connect to the Internet through the FortiGate unit using a split tunnel Internet browsing policy.0/24 end Split tunnel Internet browsing policy With split tunneling disabled.

Enter the following information and select OK.Configuring security policies Basic configuration To add an Internet browsing policy: 1. Source Address Select the firewall address that represents the IP address range assigned to SSL VPN clients. Go to Policy & Objects > Policy > IPv4 and select Create New. Enable NAT Select Enable. Source Address Select the firewall address you created that represents the IP address range assigned to SSL VPN clients.2 Fortinet Technologies Inc. Incoming Interface Select the virtual SSL VPN interface (ssl. for example). Go to Policy & Objects > Policy > IPv4 and select Create New. Destination Address Select All. that is connected by an IPsec VPN. see the IPsec VPN Guide. For information about route-based and policy-based IPsec VPNs. you would enter: config firewall policy edit 0 set srcintf ssl.CLI: To enable browsing the Internet through port1. you need only to add the appropriate security policy. for example). Action Select Accept.root. such as a branch office. Outgoing Interface Select the FortiGate network interface that connects to the Internet. To do this.root set dstintf port1 set srcaddr SSL_tunne_users set dstaddr all set schedule always set service ALL set nat enable end Enabling a connection to an IPsec VPN You might want to provide your SSL VPN clients access to another network. 29 . To configure the Internet browsing security policy . Enter the following information and select OK.root. 2. 2.web-based manager: 1. Route-based connection To configure interconnection with a route-based IPsec VPN . SSL VPN for FortiOS 5. Incoming Interface Select the virtual SSL VPN interface (ssl.

To configure interconnection with a route-based IPsec VPN .root set dstintf toOfficeA set srcaddr SSL_tunnel_users set dstaddr OfficeAnet set action accept set nat enable set schedule always set service ALL end Policy-based connection To configure interconnection with a policy-based IPsec VPN .2 Fortinet Technologies Inc. Destination Address Select the address of the IPsec VPN remote protected subnet. Destination Address Select the address of the IPsec VPN remote protected subnet. you want to enable SSL VPN users to connect to the private network (address name OfficeAnet) through the toOfficeA IPsec VPN. for example).CLI: If. you would enter: config firewall policy edit 0 set srcintf ssl.web-based manager: 1. you want to enable SSL VPN users to connect to the private network (address name OfficeAnet) through the OfficeA IPsec VPN. Outgoing Interface Select the FortiGate network interface that connects to the Internet. Go to Policy & Objects > Policy > IPv4 and select Create New. for example. Action Select ACCEPT.root. 2. . Enable NAT Enable. you would enter: config firewall policy edit 0 set srcintf ssl. 3. Incoming Interface Select the virtual SSL VPN interface (ssl. for example.CLI: If.root 30 SSL VPN for FortiOS 5.Basic configuration Configuring security policies Outgoing Interface Select the virtual IPsec interface for your IPsec VPN. Source Address Select the firewall address that represents the IP address range assigned to SSL VPN clients. Enter the following information and select OK. Configure inbound NAT from the CLI: config firewall policy edit 0 set natinbound enable end To configure interconnection with a policy-based IPsec VPN .

port1 is connected to the Internet. a user name and password) is transmitted over the SSL link. To configure encryption key algorithms . AES or 3DES.CLI: Use the following CLI command. Configuring encryption key algorithms The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. 31 . config vpn ssl settings set algorithm <cipher_suite> end where one of the following variables replaces <cipher_suite>: Variable Description low Use any cipher suite. RC4. You can only configure encyrption key algorithms for SSL VPN in the CLI. 3DES. medium Use a 128-bit or greater cipher suite. or RC4. or DES. high Use a ciper suite grather than 128 bits. Additional configuration options Beyond the basics of setting up the SSL VPN.Configuring encryption key algorithms set set set set set set set set set set Basic configuration dstintf port1 srcaddr SSL_tunnel_users dstaddr OfficeAnet action ipsec schedule always service ALL inbound enable outbound enable natinbound enable vpntunnel OfficeA end In this example. 3DES. AES. AES. you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source. SSL VPN for FortiOS 5. Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.2 Fortinet Technologies Inc. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example.

11. 4. 3.Basic configuration Additional configuration options Routing in tunnel mode If you are creating a SSL VPN connection in tunnel mode.0/24 as the tunnel IP range. Go to Router > Static > Static Routes and select Create New. go to System > Network > Routing and select Create New. the port number is 443 and users can access the web portal login page using the following default URL: https://<FortiGate_IP_address>:443/remote/login where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users. By default. you need to add a static route so that replies from the protected network can reach the remote SSL VPN client. To change the SSL VPN port . you would enter: config router static edit <id> set device ssl.root set dst 10.CLI: If you assigned 10. Type an unused port number in the Listen on Port field and select Apply.web-based manager: 1.2 Fortinet Technologies Inc. Go to VPN > SSL > Settings.254. select Global from the list of VDOMs. To change the SSL VPN port . For low-end FortiGate units. Select the SSL VPN virtual interface for the Device.11.0/24 end Changing the port number for web portal connections You can specify a different TCP port number for users to access the web portal login page through the HTTPS link.254. To add the tunnel mode route . To add the tunnel mode route . Select OK.CLI: This is a global setting. If Current VDOM appears at the bottom left of the screen. 2. 2. . Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.web-based manager: 1. For example. 3. enter: config global config system global set sslvpn-sport 10443 end 32 SSL VPN for FortiOS 5. to set the SSL VPN port to 10443.

you would enter the following: config vpn ssl web portal edit full-access set host-check custom set host-check-policy FortiClient-AV FortiClient-FW end Replacing the host check error message You can add your own host security check error message using either the web-based manager or the CLI. FW. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. which allows or denies client renegotiation.” SSL VPN for FortiOS 5. The Host Check list includes default entries for many security software products.Additional configuration options Basic configuration SSL offloading To configure SSL offloading. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface. see Portal configuration on page 20. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.2 Fortinet Technologies Inc. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation. you must use the CLI. you would enter the following: config vpn ssl web portal edit full-access set host-check av-fw end To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software. The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Host check When you enable AV. or AV-FW host checking in the web portal Security Control settings. you can create a custom host check that looks for security software selected from the Host Check list. each client is checked for security software that is recognized by the Windows Security Center.CLI: To configure the full-access portal to check for AV and firewall software on client Windows computers. To configure host checking . 33 . As an alternative. identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. For more information.

The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section. . To specify the acceptable patch level. The following example shows you how to add an OS check to the ‘g1portal’ web portal. Windows uses GUIDs to identify applications in the Windows Registry. Navigate to System > Config > Replacement Messages and select Extended View in the upper right corner. latest-patch-level is 3 and tolerance is 1. If you are unhappy with the new message.EXE file of the application and select Properties. This OS check accepts all Windows XP users and Windows 2000 users running patch level 3. config system replacemsg sslvpn hostcheck-error Creating a custom host check list You can add your own software requirements to the host check list using the CLI. the connection is denied. Enter the following commands: config vpn ssl web host-check-software edit <software_name> set guid <guid_value> set type <av | fw> set version <version_number> end If known. When the user attempts to connect to the web portal. Scroll down to SSL VPN and select Hostcheck Error Message. Windows OS check The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. To obtain the exact versioning. you set the latest-patch-level and the tolerance.Basic configuration Additional configuration options To replace the host check error message .web-based manager: 1. FortiOS performs a query on the version of Windows the user has installed. enter the Globally Unique Identifier (GUID) for the host check application. you can restore the message to its default by selecting Restore Default instead of Save. Host integrity checking is only possible with client computers running Microsoft Windows platforms. in Windows. To replace the host check error message . If it does not match the minimum requirement. 2. right-click on the . Edit the text in the right-hand column below and select Save. 3. so 2 is the lowest acceptable patch level.2 Fortinet Technologies Inc. config vpn ssl web portal edit g1portal set os-check enable config os-check-list windows-2000 set action check-up-to-date set latest-patch-level 3 34 SSL VPN for FortiOS 5. then select the Version tab. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case. The Windows patch check is configured in the CLI.CLI: Configure the host check error message using the following command.

the client browser cache may retain some information. but you can use a registry value to detect the firewall status. 35 . the following registry value will be set to 1: l l KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile ValueName: EnableFirewall In FortiOS. use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI: config vpn ssl web host-check-software edit "Microsoft-Windows-Firewall" config check-item-list edit 1 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firewall Policy\\StandardProfile:EnableFirewall==1" set type registry next edit 2 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firewall Policy\\PublicProfile:EnableFirewall==1" set type registry next edit 3 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firewall Policy\\DomainProfile:EnableFirewall==1" set type registry next end set type fw next set host-check custom set host-check-policy Microsoft-Windows-Firewall Configuring cache cleaning When the SSL VPN session ends. If Windows firewall is on. cache cleaning clears this information just before the SSL VPN session ends.2 Fortinet Technologies Inc. To enhance security. SSL VPN for FortiOS 5.Additional configuration options Basic configuration set tolerance 1 end config os-check-list windows-xp set action allow end end Host check for Windows firewall The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2.

Basic configuration Additional configuration options The cache cleaner is effective only if the session terminates normally.2 Fortinet Technologies Inc. temporary files. you create an Application Control List of either allowed or blocked applications. 36 SSL VPN for FortiOS 5. When the user starts an SSL VPN session that has virtual desktop enabled. cookies. the user’s normal desktop is restored. including cached user credentials. you would enter: config vpn ssl web portal edit full-access set cache-cleaner enable end Cache cleaning requires a browser plugin. Configuring virtual desktop Available for 32-bit Windows XP. The cache is not cleaned if the session ends due to a malfunction. but they are encrypted so that the information is protected. such as a power failure. browser history. and Windows 7 client PCs. Windows Vista. If the plugin is not present. To do this. the virtual desktop feature completely isolates the SSL VPN session from the client computer’s desktop environment. All data is encrypted. it is automatically downloaded to the client computer. you would enter: config vpn ssl web portal edit full-access set virtual-desktop enable set virtual-desktop-app-list List1 end Configuring virtual desktop application control You can control which applications users can run on their virtual desktop. Virtual desktop requires the Fortinet cache cleaner plugin. To enable virtual desktop : To enable virtual desktop on the full-access portal and apply the application control list ‘List1’. Configure the application control list in the CLI. To enable cache cleaning To enable cache cleaning on the full-access portal.0 and may not work on newer browsers. When the virtual desktop exits. If the session ends due to a malfunction. there are currently no plans to update virtual desktop support for newer browsers. When the SSL VPN session ends normally. the virtual desktop replaces the user’s normal desktop. the files are deleted. Furthermore. it automatically downloads to the client computer. If the user does not have the plugin. you select the list to use. When you configure the web portal. for example. files might remain. It should be noted that virtual desktop was only tested on Internet Explorer 8. and user files created during the session. .

You specify a primary and a secondary WINS server. For Internet sites. you need to provide them access to the domain WINS server. a list of blocked applications. 37 . you can specify the DNS server that your FortiGate unit uses. A WINS server provides IP addresses for named servers in a Windows domain. you would enter: config vpn ssl web virtual-desktop-app-list edit "List1" set action block config apps edit "BannedApp" set md5s "06321103A343B04DF9283B80D1E00F6B" end end Configuring client OS Check The SSLVPN client OS Check feature can determine if clients are running the Windows 2000. you need to provide them access to the intranet’s DNS server. If SSL VPN users will access a Windows network.2 Fortinet Technologies Inc. Windows XP. config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list {windows-2000 | windows-xp | windows-vista | windows-7} set action {allow | check-up-to-date | deny} set latest-patch-level {disable | 0 .CLI: If you want to add ‘BannedApp’ to ‘List1’. DNS servers provide the IP addresses that browsers need to access web sites. SSL VPN for FortiOS 5. You specify a primary and a secondary DNS server.255} set tolerance {tolerance_num} end end Adding WINS and DNS services for clients You can specify the WINS or DNS servers that are made available to SSL-VPN clients. Deny the client access. To configure OS Check: OS Check is configurable only in the CLI. Allow the client access only if the operating system has been updated to a specified patch (service pack) version. If SSL VPN users will access intranet sites using URLs. Windows Vista or Windows 7 operating system. The OS Check has no effect on clients running other operating systems. You can configure the OS Check to do any of the following: l l l Allow the client access.Additional configuration options Basic configuration To create an Application Control List .

Go to VPN > SSL > Settings. 3.web-based manager: 1. To specify WINS and DNS services for clients . and enter the IP addresses of WINS servers in the WINS Server fields as needed. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Select Apply. Fields are available for both IPv4 and IPv6 addresses. Fields are available for both IPv4 and IPv6 addresses. Go to VPN > SSL > Settings. 4.CLI: config set set set set end vpn ssl settings dns-server1 <address_ipv4> dns-server2 <address_ipv4> wins-server1 <address_ipv4> wins-server2 <address_ipv4> Setting the idle timeout setting The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. keep the default value of 5000 seconds or less. Enable Event Logging. In the Idle Logout field. . For more information on configuring logs on the FortiGate unit. and select VPN activity event. The valid range is from 10 to 28800 seconds. 2. To set the idle timeout . To enable logging of SSL VPN events .Basic configuration Additional configuration options To specify WINS and DNS services for clients . To set the idle timeout . 3. enter the timeout value. 3. Select Apply. Select Apply.web-based manager: 1.CLI: config vpn ssl settings set idle-timeout <seconds_int> end SSL VPN logs Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity.2 Fortinet Technologies Inc. 2. 38 SSL VPN for FortiOS 5. Set the timeout value to 0 to disable idle timeouts. Go to Log & Report > Log Config > Log Settings. see the Logging and Reporting Guide. 2.web-based manager: 1. For security. Select Specify WINS Servers.

To monitor SSL VPNs . for example.2 Fortinet Technologies Inc. The list displays the user name of the remote user. Check that there is a static route to direct packets destined for the tunnel users to the SSL VPN interface. and delete an active web session from the FortiGate unit. then use the following CLI command: config vpn ssl settings      set route-source-interface      enable end SSL VPN for FortiOS 5. 39 . go to VPN > Monitor > SSL-VPN Monitor.web-based manager: To view the list of active SSL VPN sessions. go to Log & Report and select either the Event Log or Traffic Log. but there is no communication. You can also see which services are being provided. you can end a session/connection by selecting its checkbox and then clicking the Delete icon. Error: “The web page cannot be found. Tunnel-mode connection shuts down after a few seconds This issue occurs when there are multiple interfaces connected to the Internet. Upgrade to the latest firmware. Verify the SSL VPN security policy. When a tunnel-mode user is connected.” Check the URL: https://<FortiGate_IP>:<SSLVPN_ port>/remote/login Tunnel connects. in the web-based manager. the IP address of the remote client. a dual WAN configuration. the Description field displays the IP address that the FortiGate unit assigned to the remote host. and the time the connection was made. Troubleshooting Here is a list of common SSL VPN problems and the likely solutions: No response from SSL VPN URL Check SSL VPN port assignment (default 10443). see the FortiGate Log Message Reference. If required. For information about how to interpret log messages. look for the sub-types “sslvpn-session” and “sslvpn-user”. In event log entries. Monitoring active SSL VPN sessions You can go to User & Device > Monitor to view a list of active SSL VPN sessions.Troubleshooting Basic configuration To view the SSL VPN log data. See Routing for tunnel mode on page 28.

server. and password are entered and login page will be sent back. Specify the address of the protected network instead. (. When trying to connect using FortiClient the error message “Unable to logon to the Cookies must be enabled for SSL VPN to function in Web portal or with FortiClient. Your user name or password may not be configured properly for this connection. and will block cookies that use personally identifiable information without your explicit consent.” The SSL VPN security policy uses the ALL address as its destination. login privacy policy. 40 SSL VPN for FortiOS 5. . Internet Explorer will block cookies that do not have a compact When trying to log in to the web portal.2 Fortinet Technologies Inc. 12)” appears.Basic configuration Error: “Destination address of Split Tun- Troubleshooting neling policy is invalid. If set to High.Access to the web portal or tunnel will fail if Internet Explorer has the privacy Internet Options set to High.

When the virtual desktop application exits normally. Once the tunnel has been established. tunnel mode operation cannot be initiated from the web portal Tunnel Mode widget. The next time you start the virtual desktop. they can select Connect to begin an SSL VPN session. When the application starts. all the data written to the disk is removed. on port TCP 443. The remote user must use the standalone tunnel client application. The tunnel mode client is available on the Start menu at All Programs > FortiClient > FortiClient SSL VPN . and Android. or open the tunnel mode client as a standalone application. and the data is encrypted before it is written to the local disk. Microsoft Internet Explorer.com and is available for Windows. Firefox. If the client computer runs Linux or Mac OS X. and Apple Safari browsers are supported. l l l Web mode requires nothing more than a web browser. depending on the VPN configuration. Apple iOS. the encrypted data is removed. The browser file/directory operation is redirected to a new location.2 Fortinet Technologies Inc. When distributing the FortiClient software. . Mac OS X. On Linux and Mac OS X platforms. If the client computer runs Microsoft Windows. Tunnel mode client configuration The FortiClient SSL VPN tunnel client requires basic configuration by the remote user to connect to the SSL VPN tunnel. see Web-only mode on page 9.forticlient. FortiClient Remote users can use the FortiClient software to initiate an SSL VPN tunnel to connect to the internal network. If the session terminates abnormally (power loss. Connection Name 41 If you have pre-configured the connection settings. the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. they can start and stop tunnel operation from the Tunnel Mode widget. the user needs to download the tunnel mode client application from the Fortinet Support web site. system failure. SSL VPN for FortiOS 5. etc. The user starts the web browser from within the virtual desktop and connects to the SSL VPN web portal. select the connection from the list and then select Connect. it presents a ‘virtual desktop’ to the user. The virtual desktop application creates a virtual desktop on a user's PC and monitors the data read/write activity of the web browser running inside the virtual desktop. The FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. enter the settings in the fields below. After installing the client. FortiClient software is available for download at www.). the data left behind is encrypted and unusable to the user. Tunnel mode establishes a connection to the remote protected network that any application can use. Once entered. When connecting using FortiClient. the user can access the network behind the FortiGate unit. they can download the tunnel mode client from the web portal Tunnel Mode widget.The SSL VPN client The remote client connects to the SSL VPN tunnel in various ways. Otherwise. FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit. For detailed information about supported browsers. provide the following information for the remote user to enter once the client software has been started. See the Release Notes for your FortiOS firmware for the specific operating system versions that are supported.

Tunnel mode client configuration The SSL VPN client Remote Gateway Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN. 42 . Username Enter your username. SSL VPN for FortiOS 5.2 Fortinet Technologies Inc. The certificate must be installed in the Internet Explorer certificate store. Select the required certificate from the drop-down list. Client Certificate Use this field if the SSL VPN requires a certificate for authentication.

The FortiGate unit may offer you a self-signed security certificate. type your user name. browse to the URL of the FortiGate unit (for example. When you are prompted for your user name and password: l In the Name field. Select Login. You can connect to the web portal using an Android phone.509) certificate to connect to the FortiGate unit. Your FortiGate administrator can tell you which certificate to select. You can ignore the message. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. type your password. The FortiGate unit will display the content of the portal to fit the device’s screen. In addition. Using the web browser on your computer. ask your FortiGate administrator for the URL of the FortiGate unit. To log into the secure FortiGate HTTP gateway 1. your web browser may prompt you for the name of the certificate. and obtain a user name and password. https://<FortiGate_IP_address>:443/remote/login). This chapter is written for end users as well as administrators. The FortiGate unit will redirect your web browser to the FortiGate SSL VPN web portal home page automatically. If you are prompted to proceed. The URL of the FortiGate interface may vary from one installation to the next.2 Fortinet Technologies Inc. . 3. select Yes.The SSL VPN web portal This chapter explains how to use and configure the web portal features. or iPad. l In the Password field. A second message may be displayed to inform you that the FortiGate certificate distinguished name differs from the original request. If required. iPhone. The following topics are included: l l l l l l l l Connecting to the FortiGate unit Web portal overview Portal configuration Using the My Bookmarks widget Using the Connection Tool Tunnel-mode features Using the SSL VPN virtual desktop Using FortiClient Connecting to the FortiGate unit You can connect to the FortiGate unit using a web browser. if you will be using a personal or group security (X. 43 SSL VPN for FortiOS 5. 2.

When you have finished using the web portal. 44 . some widgets might not be present. see Tunnel-mode features on page 56. you see a web portal page like the following: FortiGate SSL VPN web portal page Six“widgets” provide the web portal’s features: l l Session Information displays the elapsed time since login and the volume of HTTP and HTTPS traffic. For example. l Remote Desktop provides access to preconfigured remote desktop environments. You can use the administrator-defined bookmarks and you can add your own bookmarks. Tunnel mode requires a downloadable client application. select the Logout button in the top right corner of the portal window. Tunnel Mode connects and disconnects the tunnel mode SSL connection to the FortiGate unit. the Tunnel Mode widget provides a download link if you need to install the client on your computer. Depending on the web portal configuration and user group settings. l Connection Tool enables you to connect to network resources without using or creating a bookmark.Web portal overview The SSL VPN web portal Web portal overview After you log in. This information displays in a separate browser window. the predefined web-access portal contains only the Session Information and Bookmarks widgets. While using the web portal. you can select the Help button to get information to assist you in using the portal features.2 Fortinet Technologies Inc. l FortiClient Download provides access to the FortiClient tunnel application for various operating systems. If your computer is running Microsoft Windows. both inbound and outbound. For more information. you can obtain and install an appropriate client application from the Fortinet Support site. the widget displays the amount of data that is sent and received. While the tunnel is active. If you are using Macintosh or Linux. SSL VPN for FortiOS 5. l My Bookmarks provides links to network resources. See Using the My Bookmarks widget on page 50.

Name 45 The name of the web portal. Both the system administrator and the user have the ability to customize the SSL VPN portal. Connection Tool. Remote Desktop. select the check box beside the portal names.The SSL VPN web portal Portal configuration After making any changes to the web portal configuration. Portal configuration The SSL VPN Service portal enables users to access network resources through a secure channel using a web browser. You can also create your own web portal to meet your corporate requirements. . and My Bookmarks. Tunnel Mode. Delete Removes a portal configuration.Session Information. then select Delete. There are three pre-defined default web portal configurations available: l full-access: Includes all widgets available to the user . SSL VPN for FortiOS 5. To remove multiple portals from the list. l tunnel-access: Includes Session Information and Tunnel Mode widgets. FortiClient Download. be sure to select Apply. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.2 Fortinet Technologies Inc. Edit Select a portal from the list to enable the Edit option. This topic includes the following: l l Portal settings Portal widgets Portal page Create New Creates a new web portal. The portal configuration determines what the user sees when they log in to the portal. l web-access: Includes Session Information and My Bookmarks widgets. and modify the portal configuration.

This window appears when you select Settings. see Tunnel Mode on page 49. contains information about what settings are configured within that particular setting that the object is referenced with. The SSL VPN web portal Displays the number of times the object is referenced in other configurations on the FortiGate unit. For more information. For more information. select one of: View the list page for these objects – automatically redirects you to the list page where the object is referenced at. 46 . allows for the addition of new bookmarks and editing of existing bookmarks.2 Fortinet Technologies Inc. For more information. To view more information about how the object is used. Widgets The widgets that will appear on the SSL VPN Service page. see Session Information on page 48. Edit this object – modifies settings within that particular setting that the object is referenced with. see Portal widgets on page 48. You can also check connectivity to a host or server on the network behind the unit by selecting the Type Ping. see Connection Tool on page 49. Bookmarks Displays configured bookmarks. Connection Tool Enter the URL or IP address for a connection tool application/server (selected when configuring the Connection Tool). Session Information Displays basic information of the current session of the logged in user. To view the location of the referenced object. See Portal configuration on page 45. For more information. column. View the details for this object – similar to the log viewer table. such as security policies. For more information. The administrator can configure a split-tunneling option. SSL VPN for FortiOS 5. You can add widgets from the Add Widgets drop-down list. Portal Settings page Edit Settings window Provides general. Add Widget Select to add a new widget to the page. For more information. Settings Select to edit the settings for the SSL VPN web portal. see Portal settings on page 47. This window also appears whenever you select Create New and are automatically redirected to the Portal Settings page.Portal configuration Ref. virtual desktop and security control settings for the SSL VPN Service portal page. select the number in Ref. Tunnel Mode Displays tunnel information and actions in user mode. see Bookmarks on page 49.

Host checking enforces the client’s use of antivirus or firewall software. The Settings Window provides settings for configuring general. When the SSL VPN session ends normally.2 Fortinet Technologies Inc.The SSL VPN web portal Portal configuration Portal settings A web portal defines SSL VPN user access to network resources. are configured to completely isolate the SSL VPN session from the client computer’s desktop environment. Edit Settings Window General tab Name Enter a name for the web portal configuration. The cache cleaner is effective only if the session terminates normally. it is automatically downloaded to the client computer. Portal Message Enter the caption that appears at the top of the web portal home page when the user logs in. any files that may remain will be encrypted. The portal configuration determines what SSL VPN users see when they log in to the unit. you can create a custom host check that looks for specific security software selected from the Host Check list. The cache is not cleaned if the session ends unexpectedly. Virtual Desktop tab Enable Virtual Desktop 47 Select to enable the virtual desktop. For more information. Page Layout Select the one or two page column format for the web portal home page. The virtual desktop options. All data is encrypted. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. cookies. SSL VPN for FortiOS 5. and user files created during the session. As an alternative. see Host check on page 33. the files are deleted. If the plugin is not present. available for Windows XP and Windows Vista client PCs. browser history. Theme Select the color scheme for the web portal home page. Portal settings are configured in VPN > SSL > Portals. Redirect URL Enter the URL that the web portal displays when the web portal home page is displayed. . Cache cleaning clears information from the client browser cache just before the SSL VPN session ends. Security control options provide cache cleaning and host checking to the clients of your web portal. temporary files. Each client is checked for security software that is recognized by the Windows Security Center. If the session ends unexpectedly. including cached user credentials. virtual desktop and security console options for your web portal. Virtual desktop requires the Fortinet host check plugin. Applications Select the server applications or network services clients can use.

Security Control tab Clean Cache Select to have the unit remove residual information from the remote client computer just before the SSL VPN session closes. Select Edit to modify the policy settings. Allow use of removable media Select to allow users to access removable media. Host Check Select any host checking that is required before the user can log into the portal. Allow network share access Select to allow users to have access to network resources.Portal configuration The SSL VPN web portal Allow switching between virtual desktop and regular desktop Select to allow users to switch between the virtual desktop. Policy This is available when the Host Check selection is Custom. Allow clipboard contents to be shared with regular desktop Select to allow users access to the clipboard contents when they are using the regular desktop. Quit the virtual desktop and logout session when browser is closed Select to have the virtual desktop close and log the user out of the current session whenever the browser is closed. For more information. Session Information The Session Information widget displays the login name of the user. Host checks will verify if the user has the required antivirus software or applications. Allow printing Select to allow users to print from the virtual desktop. the log in will be denied. Portal widgets Portal widgets are widgets hold the content the user logging into the portal will see. Application Control List Select a virtual desktop application list from the drop-down list. see Host check on page 33. and their regular desktop. the amount of time the user has been logged in and the inbound and outbound traffic statistics. If the user does not. 48 . Interval Enter how often to recheck the host for updates and changes in seconds.2 Fortinet Technologies Inc. Select the specific host check software to look for. SSL VPN for FortiOS 5.

These settings determine how tunnel mode clients are assigned IP addresses. FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host. Connection Tool Use the Connection Tool widget to connect to a network resource without adding a bookmark to the bookmark list. and RDP all pop up a window that requires a browser plug-in. A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. Windows file sharing through SMB/CIFS is supported through shared directories.The SSL VPN web portal Portal configuration Bookmarks Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list. enables you to remotely control a computer running Microsoft Terminal Services. similar to VNC. accessing your work computer from your home computer. VNC (Virtual Network Computing) enables you to remotely control another computer. When the administrator configures bookmarks. one or more of the following server applications are available to you through Bookmarks or the Connection Tool: l l l l l l l l Ping enables you to test whether a particular server or host is reachable on the network. SSH (Secure Shell) enables you to exchange data between two computers using a secure channel. a pop-up window appears with the requested web page. Users configuring their own bookmarks can specify alternative credentials for the web site. HTTP/HTTPS accesses web pages.2 Fortinet Technologies Inc. You can also enable a split tunneling configuration so that the VPN carries only the traffic for the networks behind the unit. The user’s other traffic follows its normal route. for example. You must have a user account created by the server administrator so that you can log in. Some server applications may prompt you for a user name and password. 49 SSL VPN for FortiOS 5. FTP and Samba replace the bookmarks page with an HTML file-browser. VNC. the web site credentials must be the same as the user’s SSL VPN credentials. RDP (Remote Desktop Protocol). Applications available in the web portal Depending on the web portal configuration and user group settings. SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host. You select the type of resource and specify the URL or IP address of the host computer. you need to configure the Tunnel Mode widget. Telnet. Tunnel Mode If your web portal provides tunnel mode access. . Telnet (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.

see Using the Connection Tool on page 51. For more information. For more information. Enter the following information: Name Enter the name to display in the Bookmarks list. or name of the server application to the My Bookmarks list. you add the URL. If you want to access a web server or telnet server without first adding a bookmark to the My Bookmarks list.Using the My Bookmarks widget The SSL VPN web portal Using the My Bookmarks widget The My Bookmarks widget shows both administrator-configured and user-configured bookmarks. you can append some parameters to control screen size and keyboard layout. edit or delete user bookmarks. 2. For RDP connections. see Adding bookmarks on page 50.2 Fortinet Technologies Inc. IP address. Location Enter the IP address or FQDN of the server application or network service. See To start an RDP session on page 54. In the Bookmarks widget. 50 . Administrator bookmarks cannot be altered but you can add. To use the web-portal applications. use the Connection Tool instead. SSL VPN for FortiOS 5. To add a bookmark 1. Adding bookmarks You can add frequently used connections as bookmarks. Type Select the abbreviated name of the server application or network service from the drop-down list. select any hyperlink from the Bookmarks list to initiate a session. Afterward. My Bookmarks widget The FortiGate unit forwards client requests to servers on the Internet or internal network. select Add.

. Static SSO fields These fields are available if SSO is Static. as it appears in the HTML form.2 Fortinet Technologies Inc. in which the browser opens a pop-up dialog box requesting credentials. Password Alternative password. Alternative — Enter Username and Password below. Field Name Enter the field name. enter %passwd% for password or %username% for username. Select OK and then select Done. SSO fields SSO Credentials SSL VPN Login — Use your SSL VPN login credentials. Static — Supply credentials and other required information (such as an account number) to a web site that uses an HTML form for authentication. SSO Single Sign On (SSO) is available for HTTP/HTTPS bookmarks only. This method does not work for sites that use HTTP authentication. 3. Disabled — This is not an SSO bookmark. You provide a list of the form field names and the values to enter into them. Available if SSO Credentials is Alternative.The SSL VPN web portal Using the Connection Tool Description Optionally enter a short description. Available if SSO Credentials is Alternative. Value Enter the field value. Username Alternative username. The fields in the Connection Tool enable you to specify the type of server and the URL or IP address of the host computer. Add Add another Field Name / Value pair. The description displays when you pause the mouse pointer over the hyperlink. Automatic — Use your SSL VPN credentials or an alternate set. To use the values from SSO Credentials. Using the Connection Tool You can connect to any type of server without adding a bookmark to the My Bookmarks list. See the SSO Credentials field. See the following procedures: l l l l 51 To connect to a web server on page 52 To ping a host or server behind the FortiGate unit on page 52 To start a Telnet session on page 52 To start an FTP session on page 53 SSL VPN for FortiOS 5.

mywebexample. To end the session.11. Select Yes to proceed. enter the IP address of the host or server that you want to reach. 52 . Select Connect. In Type. To end the session. select HTTP/HTTPS. 2. When you use the Connection Tool.120. To ping a host or server behind the FortiGate unit 1.101 3. In the Host field. A Telnet window opens.101. type the URL of the web server. In Type.11.Using the Connection Tool l l l l The SSL VPN web portal To start an SMB/CIFS session on page 53 To start an SSH session on page 54 To start an RDP session on page 54 To start a VNC session on page 55 Except for ping. 5. In the Host field. Select Go. select Disconnect (or type exit) and then close the TELNET connection window. 2.2 Fortinet Technologies Inc. close the browser window.22 3. Select Yes to proceed.20. A second message may be displayed to inform you of a host name mismatch. 2. For example: 10.101.com or https://172.12 3. For example: 10. A telnet session starts and you are prompted to log in to the remote host. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. To start a Telnet session 1. After you log in. select Telnet. you may enter any series of valid telnet commands at the system prompt. For example: http://www. SSL VPN for FortiOS 5. A message stating whether the IP address can be reached or not is displayed. the FortiGate unit may offer you its self-signed security certificate. 4. In Type. type the IP address of the telnet host. Select Go. Select Go. select Ping. 4. these services require that you have an account on the server to which you connect. To connect to a web server 1. 6. In the Host field.

11. For example: 10. To end the FTP session. select SMB/CIFS. l To access a subdirectory (Type is Folder).The SSL VPN web portal Using the Connection Tool To start an FTP session 1. l To delete a file or subdirectory from the current directory. l To delete a file or subdirectory from the current directory. l To create a subdirectory in the current directory. select Upload. To end the SMB/CIFS session. 53 SSL VPN for FortiOS 5. l To upload a file to the current directory from your client computer. Manipulate the files in any of the following ways: l To download a file. Enter your user name and password and then select Login. select FTP. type the IP address of the FTP server. 5. select its Rename icon. select Logout and then close the SMB/CIFS window. Select Go. Manipulate the files in any of the following ways: l To download a file.2 Fortinet Technologies Inc. you can select Up to access the parent directory. select the file link in the Name column. select Upload. In the Host field.101.11. 5. For example: 10.12 3. select New Directory. select the link in the Name column. l When the current directory is a subdirectory. you can select Up to access the parent directory. To start an SMB/CIFS session 1. . select its Rename icon. Enter your user name and password and then select Login. 6. l To rename a file in the current directory. 6. select New directory. 4.12 3. l To rename a file. select its Delete icon. A login window opens. select its Delete icon. l To create a subdirectory in the current directory. In Type. type the IP address of the SMB or CIFS server. 2. 4. 2. In Type. You must have a user account on the remote host to log in. select the file link in the Name column. l When the current directory is a subdirectory. Select Go. select Logout. l To upload a file from your client computer to the current directory. In the Host field. l To access a subdirectory (Type is Folder). You must have a user account on the remote host to log in.101. select the file link in the Name column.

Select Connect. To start an RDP session 1. For example: 10. If you need to send Ctrl-Alt-Delete in your session. type your user name and password. you may enter any series of valid commands at the system prompt. 8. select SSH . click OK. To end the RDP session. RDP options When you specify the RDP server address. type the IP address of the RDP host. you can specify additional options for RDP by adding them to the Host field following the host address. Select Go. For example. 7. 4. The screen configuration dialog does not appear if you specified the screen resolution with the host address.12 3. 2. 6. 5. 2. use Ctrl-Alt-End. For example: 10.2 Fortinet Technologies Inc. When you are prompted to log in to the remote host. A login window opens.11.12 -m fr 4. Select Login. See RDP options on page 54 for information about the available options. to use a French language keyboard layout you would add the -m parameter: 10. In Type. A SSH session starts and you are prompted to log in to the remote host. select Disconnect (or type exit) and then close the SSH connection window. 5.11.101. You must have a user account on the remote host to log in. In the Host field. Optionally. Log out of Windows or select Cancel from the Logon window. SSL VPN for FortiOS 5. type the IP address of the SSH host.12 3. A login window opens.101. Select Go. To end the session. After you log in.11. you can also specify other options for your remote desktop session. In Type.Using the Connection Tool The SSL VPN web portal To start an SSH session 1.101. When you see a screen configuration dialog. select RDP. In the Host field. You must have a user account to log in. 54 .

For example: 10. In Type. select VNC .2 Fortinet Technologies Inc. The supported values of <locale> are: ar da de de-ch en-gb en-uk en-us es fi fr fr-be fr-ca fr-ch hr hu Arabic Danish German Swiss German British English UK English US English Spanish Finnish French Belgian French Canadian French Swiss French Croatian Hungarian it ja lt lv mk no pl pt pt-br ru sl sv tk tr Italian Japanese Lithuanian Latvian Macedonian Norwegian Polish Portuguese Brazilian Portuguese Russian Slovenian Sudanese Turkmen Turkish To start a VNC session 1. 2. type the IP address of the VNC host. instead of entering them after the connection is established. Select Go. -u <user name> -p <password> -d <domain> Locale/Keyboard -m <locale> Use this option if the remote computer might not use the same keyboard layout as your computer. 55 SSL VPN for FortiOS 5. Select the locale code that matches your computer. A login window opens. . In the Host field.12 3.The SSL VPN web portal Using the Connection Tool Screen resolution -f Use this command to make the RDP window full screen or a specific the window size. -g <width>x<height> Make RDP full-screen <width> and <height> are in pixels Example: -g 800x600 Authentication Use these options to send your authentication credentials with the connection request.101.11.

Refresh Refresh the status and statistics immediately. Tunnel-mode features For Windows users. 5. SSL VPN for FortiOS 5. 56 . Link Status The state of the SSL VPN tunnel: Up — an SSL VPN tunnel with the FortiGate unit has been established. Fortinet SSL VPN Tunnel Mode widget Connect Initiate a session and establish an SSL VPN tunnel with the FortiGate unit. Select OK. If you need to send Ctrl-Alt-Delete in your session. close the VNC window. then select Send Ctrl-Alt-Delete from the pop-up menu.2 Fortinet Technologies Inc. 6. Disconnect End the session and close the tunnel to the FortiGate unit. Bytes Sent The number of bytes of data transmitted from the client to the FortiGate unit since the tunnel was established. You must have a user account on the remote host to log in. Down — a tunnel connection has not been initiated. the web portal Tunnel Mode widget provides controls for your tunnel mode connection and also provides status and statistics about its operation. Bytes Received The number of bytes of data received by the client from the FortiGate unit since the tunnel was established. press F8. To end the VNC session. Type your user name and password when prompted to log in to the remote host. You can also control and monitor tunnel mode operation from the standalone client application.Tunnel-mode features The SSL VPN web portal 4.

. The virtual desktop closes and your regular desktop is restored. Wait for the virtual desktop to initialize and replace your desktop with the SSL VPN desktop. Virtual desktop information is encrypted so that no information from it remains available after your session ends. For information on configuring the FortiGate unit for SSL VPN connectivity. your regular desktop is restored. subject to the limitations that virtual desktop application control imposes. simply log in to an SSL VPN that requires the use of the virtual desktop. To see the web portal virtual desktop settings. Once the tunnel has been established. To use the SSL VPN virtual desktop. see the FortiClient documentation. Using FortiClient Remote users can use FortiClient Endpoint Security to initiate an SSL VPN tunnel to connect to the internal network.The SSL VPN web portal Using the SSL VPN virtual desktop Using the SSL VPN virtual desktop The virtual desktop feature is available for Windows only. the FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Select Yes to confirm. the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. you can switch between the virtual desktop and your regular desktop. For details on configuring FortiClient for SSL VPN connections. When you start an SSL VPN session. right-click the SSL VPN Virtual Desktop icon in the taskbar and select Exit. the virtual desktop replaces your normal desktop. which has a Fortinet SSL VPN logo as wallpaper. When connecting using FortiClient. right-click the SSL VPN Virtual Desktop icon in the taskbar and select Virtual Desktop Option.2 Fortinet Technologies Inc. Right-click the SSL VPN Virtual Desktop icon in the taskbar and select Switch Desktop. on port TCP 10443. You can use the virtual desktop just as you use your regular desktop. 57 SSL VPN for FortiOS 5. the user can access the network behind the FortiGate unit. see Basic configuration on page 14. When you have finished working with the virtual desktop. When the virtual desktop exits. If it is enabled in the web portal virtual desktop settings. Your web browser will open to the web portal page. FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit.

Essentially.1 in 34 .136 0 .20 2 7 1 ot . the remote user will connect to the corporate FortiGate unit to surf the Internet.Setup examples The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals. by using the corporate firewall to filter all of their Internet traffic. VP U 10 ser .2 Lo 12 g . The examples included are: l l l Secure Internet browsing Split Tunnel Multiple user groups with different access permissions Secure Internet browsing This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling.12 . . and ensures that they are not subject to malware and other dangers. 58 SSL VPN for FortiOS 5. 3. Creating an SSL VPN IP pool and SSL VPN web portal 1. applying the steps outlined in Basic configuration on page 14. you create a means to use the corporate FortiGate to browse the Internet safely.2 00 L SS ser U N te mo e R Fo n1 wa . Select OK.2 Fortinet Technologies Inc. Go to VPN > SSL > Portals and select tunnel-access.ro ing ssl rows b rt iG at e U ni t Using SSL VPN and FortiClient SSL VPN software. For Source IP Pools select SSLVPN_TUNNEL_ADDR1. 2.

6.134.255. Move twhite to the Members list. Go to Policy & Objects > Policy > IPv4 and select Create New. Go to User & Device > User > User Groups and select Create New to add twhite to a group called SSL VPN: Name SSL VPN Type Firewall 5. Create a normal security policy from ssl.Secure Internet browsing Setup examples Creating the SSL VPN user and user group 1. Select OK. 1. SSL VPN for FortiOS 5.root to wan1 to allow SSL VPN traffic to connect to the Internet. For low-end FortiGate units. Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. 1.212.0/255. Add an SSL VPN security policy as below. 2.0 Device ssl. Go to Router > Static > Static Routes and select Create New to add the static route.255.root The Destination IP/Mask matches the network address of the remote SSL VPN user. go to System > Network > Routing and select Create New. 2. and click OK.2 Fortinet Technologies Inc. Destination IP/Mask 10. Select OK. 4. 2. 59 . Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel. Create the SSL VPN user and add the user to a user group configured for SSL VPN use. Go to User & Device > User > User Definition and select Create New to add the user: User Name twhite Password password 3. Select OK.

Select OK and Apply. Select OK.2 Fortinet Technologies Inc. Go to VPN > SSL > Settings and select Create New under Authentication/Portal Mapping. go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. access the VPN using the address https://172. Configuring authentication rules 1. Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Incoming Interface ssl. Split Tunnel For this example. Results Using the FortiClient SSLVPN application. From the FortiGate web-based manager.root 3. The Subsession entry indicates the split tunnel which redirects to the Internet.136:443/ and log in as twhite. 2. . Add an authentication rule for the remote user: Users/Groups Tunnel Portal tunnel-access 3.Setup examples Split Tunnel Incoming Interface wan1 Source Address all Outgoing Interface ssl. 60 SSL VPN for FortiOS 5.root Source Address all Outgoing Interface wan1 Destination Address all Schedule always Service ALL Action ACCEPT 4. Once connected.20. the remote users are configured to be able to securely access head office internal network servers and browse the Internet through the head office firewall.120. This will enable the remote user to use the FortiGate’s security to connect to the internal network and the Internet. you can browse the Internet.

168. 2. 172 e fic it of Un d te ea a H tiG r U 10 ser .136 0 2 . available from the Fortinet Support site. Creating a firewall address for the head office server 1.1 192 Using split tunneling.2 Lo 12 g .12 Interface Internal 2.1 in 34 .2 Fortinet Technologies Inc.1 ad ve He Ser . Enter the following: Name Connect to head office server Enable Tunnel Mode Enable SSL VPN for FortiOS 5. Creating an SSL VPN IP pool and SSL VPN web portal 1.2 00 n1 wa .1. Go to Policy & Objects > Objects > Addresses and select Create New and add the head office server address: Category Address Name Head office server Type Subnet Subnet / IP Range 192.Split Tunnel Setup examples The solution describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software. Select OK. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user. 61 .ro ing ssl rows b e ffic r O . all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Go to VPN > SSL > Portals and select tunnel-access.1 .20 Fo R N VP L S te SUser o em ot .168.

1. 5.255. Go to User & Device > User > User Groups and select Create New to add the new user to the SSL VPN user group: Name Tunnel Type Firewall 4. Create a normal security policy from ssl. Select OK. Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. For low-end FortiGate units.0/255. 1. Select OK.0 Device ssl. Move twhite to the Members list. Go to Policy & Objects > Policy > IPv4 and select Create New.2 Fortinet Technologies Inc. 1. 3. 2. Select OK. .212.134. go to System > Network > Routing and select Create New: Destination IP/Mask 10. Select OK.root 3.Setup examples Split Tunnel Enable Split Tunneling Enable Source IP Pools SSLVPN_TUNNEL_ADDR1 3. Complete the following: Incoming Interface 62 wan1 SSL VPN for FortiOS 5. Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.255. select Create New and add the user: User Name twhite Password password 2.root to wan1 to allow SSL VPN traffic to connect to the Internet. Go to User & Device > User > User Definition. Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group. Go to Router > Static > Static Routes and select Create New 2.

Results Using the FortiClient SSL VPN application on the remote PC.120.20. Go to VPN > SSL > Settings and select Create New under Authentication/Portal Mapping. 4. Select OK. Select Create New. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private SSL VPN for FortiOS 5.root Source Address all Outgoing Interface wan1 Destination Address all Schedule always Service ALL Action ACCEPT Configuring authentication rules 1. 5. 2. Once connected. 6. go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. 63 .136:443/ and log in with the twhite user account. Complete the following and select OK: Incoming Interface ssl. you can connect to the head office server or browse to web sites on the Internet. From the web-based manager.2 Fortinet Technologies Inc. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet. Add a security policy that allows remote SSL VPN users to connect to the Internet. Multiple user groups with different access permissions You might need to provide access to several user groups with different access permissions. Select OK and Apply. Add an authentication rule for the remote user: Users/Groups Tunnel Portal tunnel-access 3. connect to the VPN using the address https://172.Multiple user groups with different access permissions Setup examples Source Address all Outgoing Interface internal Destination Address Head office server 3.

Select Create New. General configuration steps 1. and select OK: Name Subnet_1 Type Subnet Subnet/IP Range 10. 6. To define destination addresses . In this example. add a user as a member and select a web portal. Creating the destination addresses SSL VPN users in this example can access either Subnet_1 or Subnet_2. l Two tunnel-mode policies to allow each group of users to reach its permitted destination network. User1 and User2. Create the static route to direct packets for the users to the tunnel. enter the following information. Create two user accounts. Create two user groups.101. Create firewall addresses for: l The destination networks. one to each destination. 2.2 Fortinet Technologies Inc. . l Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups. Select Create New. 3.0/24 Interface port2 3.11. and select OK: 64 SSL VPN for FortiOS 5. 5. enter the following information. 4. User1 will belong to Group1. Creating the firewall addresses Security policies do not accept direct entry of IP addresses and address ranges. Create two web portals. Go to Policy & Objects > Objects > Addresses.web-based manager: 1. In this example configuration.Setup examples Multiple user groups with different access permissions networks behind a FortiGate unit. Create security policies: l Two SSL VPN security policies. there are two users: l l User1 can access the servers on Subnet_1. 2. User2 can access the workstation PCs on Subnet_2. which will be assigned to Portal1 (similar configuration for User2). For each group. You must define firewall addresses in advance. You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

portal1 and portal2. 2. Select OK. 2. split an otherwise unused subnet into two ranges. Select Create New. Select Create New.11. you need to create two web portals. 3. Go to VPN > SSL > Portals and select Create New. select Tunnel_ group1. SSL VPN for FortiOS 5. and select OK.[1-50] Interface Any 3. for example. you will create two SSL VPN user groups. 65 . Name Tunnel_group2 Type IP Range Subnet/IP Range 10. 4.[51-100] Interface Any Creating the web portals To accommodate two different sets of access permissions. and select OK: Name Tunnel_group1 Type IP Range Subnet/IP Range 10. To create the portal1 web portal: 1. Go to Policy & Objects > Objects > Addresses. enter the following information.254.11. enter the following information. Later. In Source IP Pools.254.web-based manager: 1.11. Enter portal1 in the Name field. one to assign to portal1 and the other to assign to portal2.0/24 Interface port3 Creating the tunnel client range addresses To accommodate the two groups of users. To define tunnel client addresses .2 Fortinet Technologies Inc. The tunnel client addresses must not conflict with each other or with other addresses.201.Multiple user groups with different access permissions Setup examples Name Subnet_2 Type Subnet Subnet/IP Range 10.

Go to User & Device > User > User Groups. Two types of security policy are required: l l 66 An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. assigned to Portal2. Select OK.2 Fortinet Technologies Inc. Go to VPN > SSL > Portals and select Create New.Setup examples Multiple user groups with different access permissions To create the portal2 web portal: 1. To create the user groups . so there will be two SSL VPN policies. Before you create the security policies. 2. web-mode or tunnel-mode. 5. Select Create New and enter the following information: Name group1 Type Firewall 3. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. From the Available list. 3. . Later. so there will be two tunnel-mode policies. See Creating the firewall addresses on page 64. you need to create the user accounts and then the user groups that require SSL VPN access. After you create the users. there are two destination networks. with User2 as its only member. create the SSL VPN user groups. In this example. In IP Pools. Enter portal2 in the Name field and select OK. Go to User & Device > User > User Definition and create user1 and user2 with password authentication. A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Creating the security policies You need to define security policies to permit your SSL VPN clients. The authentication ensures that only authorized users can access the destination network. 4. you must define the source and destination addresses to include in the policy. to connect to the protected networks behind the FortiGate unit. there are two destination networks. select User1 and move it to the Members list by selecting the right arrow button. Repeat steps 2 through 4 to create Group2.web-based manager: 1. SSL VPN for FortiOS 5. Creating the user accounts and user groups After enabling SSL VPN and creating the web portals that you need. select Tunnel_ group2 4. 2. you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users. In this example. Select OK.

2. Select OK and Apply. Select Create New and add an authentication rule for the second remote group: Users/Groups Group2 Portal Portal2 5. 2. Enter the following information: Incoming Interface port1 Source Address All Outgoing Interface port3 Destination Address Subnet_2 5. 4.Multiple user groups with different access permissions Setup examples To create the SSL VPN security policies . Add an authentication rule for the first remote group: Users/Groups Group1 Portal Portal1 3. Configuring authentication rules 1. 67 . Select OK and Apply. and select OK: SSL VPN for FortiOS 5. 4. Enter the following information.2 Fortinet Technologies Inc. To create the tunnel-mode security policies . Go to Policy & Objects > Policy > IPv4 and select Create New. 2. Click OK.web-based manager: 1.web-based manager: 1. Enter the following information and click OK: Incoming Interface port1 Source Address All Outgoing Interface port2 Destination Address Subnet_1 3. Go to Policy & Objects > Policy > IPv4 and select Create New. Go to VPN > SSL > Settings and select Create New under Authentication/Portal Mapping. Select Create New.

go to System > Network > Routing and select Create New. You need to define a static route to allow this.web-based manager: 1. SSL VPN for FortiOS 5. For low-end FortiGate units. ssl.2 Fortinet Technologies Inc.root for example.11. Go to Router > Static > Static Routes and select Create New.0/24 This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users.root (sslvpn tunnel interface) Source Address Tunnel_group2 Outgoing Interface port3 Destination Address Subnet_2 Action ACCEPT Enable NAT Enable Create the static route to tunnel mode clients Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. and select OK: Incoming Interface ssl. Enter the following information and select OK. Destination IP/Mask 10.root (sslvpn tunnel interface) Source Address Tunnel_group1 Outgoing Interface port2 Destination Address Subnet_1 Action ACCEPT Enable NAT Enable 3. Enter the following information.254.Setup examples Multiple user groups with different access permissions Incoming Interface ssl. 4. . 2. See Creating the tunnel client range addresses on page 65. To add a route to SSL VPN tunnel mode clients . Device 68 Select the SSL VPN virtual interface. Select Create New.

69 .Multiple user groups with different access permissions Setup examples In this example.2 Fortinet Technologies Inc. SSL VPN for FortiOS 5. the IP Pools field on the VPN > SSL > Settings page is not used because each web portal specifies its own tunnel IP address range.

Fortinet disclaims in full any covenants. with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and. FortiGate®. Nothing herein represents any binding commitment by Fortinet. . All rights reserved. Fortinet®. and actual performance and other results may vary. and Fortinet disclaims all warranties.and guarantees pursuant hereto. signed by Fortinet’s General Counsel. only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. transfer. For absolute clarity. representations. except to the extent Fortinet enters a binding written contract. whether express or implied. Inc. in such event. modify. All other product or company names may be trademarks of their respective owners. Network variables. different network environments and other conditions may affect performance results.Copyright© 2015 Fortinet.. Fortinet reserves the right to change. or otherwise revise this publication without notice. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions. FortiCare® and FortiGuard®. any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Inc. whether express or implied. and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. and certain other marks are registered trademarks of Fortinet. and the most current version of the publication shall be applicable.

Sign up to vote on this title
UsefulNot useful