FortiOS 5.6 The SSL VPN web portal

Connecting to the FortiGate unit

SSL VPN using web and tunnel mode
Disabled — This is not an SSO bookmark. For this policy, Incoming Interface is set to ssl. The FortiGate unit forwards client requests to servers on the Internet or internal network. In the H o s t field, type the IP address of the telnet host. Select to include bookmarks on the web portal.

2. Creating an SSL VPN portal for remote users

SSL VPN Web Portal Access Issue

Add a remote user with the User Creation Wizard in the example, twhite , with the same credentials used for the predefined bookmark. Add the address for the local network. Add a security policy allowing access to the internal network through the ssl. Set Source Address to all and select the Source User group you created in step 2.

Set Outgoing Interface to the local network interface so that the remote user can access the internal network. Set Destination Address to all, enable NAT , and configure any remaining firewall and security options as desired. For this policy, Incoming Interface is set to ssl. The Web Application description indicates that the user is using web mode.

In the Tunnel Mode widget, select Connect to enable the tunnel. Skip to content Share this post: Contact Fortinet Technical Documentation at techdoc fortinet. You may need to install the FortiClient application using the available download link. For more information, see Adding bookmarks on page If you want to access a web server or telnet server without first adding a bookmark to the My Bookmarks list, use the Connection Tool instead.

For more information, see Using the Bookmarks widget on page A dd i n g bookmarks. You can add frequently used connections as bookmarks. Afterward, select any hyperlink from the Bookmarks list to initiate a session.

In the web portal, select N e w Bookmark. For RDP connections, you can append some parameters to control screen size and keyboard layout. See Using the Bookmarks widget on page The description displays when you pause the mouse pointer over the hyperlink.

D i sa bl e d — This is not an SSO bookmark. Static — Supply credentials and other required information such as an account number to a web site that uses an HTML form for authentication. You provide a list of the form field names and the values to enter into them. This method does not work for sites that use HTTP authentication, in which the browser opens a pop-up dialog box requesting credentials. Select O K and then select D on e. This CLI-only feature allows administrators to add bookmarks for groups of users.

U s i n g the Quick Connection Tool. You can connect to any type of server without adding a bookmark to the Bookmarks list. The fields in the Quick. See the following procedures:. Except for ping, these services require that you have an account on the server to which you connect.

When you use the Connection Tool, the FortiGate unit may offer you its self-signed security certificate. Select Y e s to proceed. A second message may be displayed to inform you of a host name mismatch. In the H o s t field, type the URL of the web server. In the H o s t field, enter the IP address of the host or server that you want to reach.

In the H o s t field, type the IP address of the telnet host. Select C onn ect. A telnet session starts and you are prompted to log in to the remote host. Enter your user name and password and then select Log i n. To end the FTP session, select Logou t.

A SSH session starts and you are prompted to log in to the remote host. You must have a user account to log in. After you log in, you may enter any series of valid commands at the system prompt. To end the session, select D i sc onn ec t or type exit and then close the SSH connection window. Optionally, you can specify additional options for RDP by adding them to the H o s t field following the host address.

See RDP options on page for information about the available options. When you see a screen configuration dialog, click O K. The screen configuration dialog does not appear if you specified the screen resolution with the host address. When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in. Type your user name and password when prompted to log in to the remote host. The virtual desktop feature is available for Windows only.

When the virtual desktop exits, your regular desktop is restored. Virtual desktop information is encrypted so that no information from it remains available after your session ends. Your web browser will open to the web portal page. You can use the virtual desktop just as you use your regular desktop, subject to the limitations that virtual desktop application control imposes.

If it is enabled in the web portal virtual desktop settings, you can switch between the virtual desktop and your regular desktop. Select Y e s to confirm. The virtual desktop closes and your regular desktop is restored. U s i n g FortiClient. Once the tunnel has been established, the user can access the network behind the FortiGate unit. The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page S ec u r e Internet browsing.

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic.

Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet. C r ea t i n g security policies. Create a normal security policy from ssl. C on f i gu r i n g authentication rules. Once connected, you can browse the Internet. The S ub sess i o n entry indicates the split tunnel which redirects to the Internet. In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate.

Connections to the Internet are routed back out the head office FortiGate unit to the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

C r ea t i n g a firewall address for the head office server. Select C r ea t e New. Complete the following and select O K:. Once connected, you can connect to the head office server or browse to web sites on the Internet. M u l t i p l e user groups with different access permissions. You might need to provide access to several user groups with different access permissions.

Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. G e n e r a l configuration steps. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 similar configuration for User2.

Create the static route to direct packets for the users to the tunnel. C r ea t i n g the firewall addresses. Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance. C r ea t i n g the destination addresses. Select C r ea t e New , enter the following information, and select O K:.

C r ea t i n g the tunnel client range addresses. To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses. Select C r ea t e New , enter the following information, and select O K.

C r ea t i n g the web portals. To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Enter portal1 in the N a m e field. Enter portal2 in the N a m e field and select O K. Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users. C r ea t i n g the user accounts and user groups. Select C r ea t e New and enter the following information:.

From the A va il a b l e list, select U se r 1 and move it to the M e m b e r s list by selecting the right arrow button. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member. C r ea t i n g the security policies. You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit.

Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page The authentication ensures that only authorized users can access the destination network. Enter the following information and click O K:. Select C r ea t e New and add an authentication rule for the second remote group:. T o create the tunnel-mode security policies — web-based manager: Enter the following information, and select O K:.

C r ea t e the static route to tunnel mode clients. You need to define a static route to allow this. Enter the following information and select O K. See Creating the tunnel client range addresses on page The -1 debug level produces detailed results.

The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems. The CLI displays debug output similar to the following:.

SSLv3 read client hello A SSLv3 write server hello A SSLv3 write change cipher spec A SSLv3 write finished B SSLv3 flush data SSLv3 read finished A: SSLv3 read finished A The following is a list of potential issues.

The suggestions below are not exhaustive, and may not reflect your network topology. Fo r t i C li e n t cannot connect. Tunn e l — m od e connection shuts down after a few seconds. This issue can occur when there are multiple interfaces connected to the Internet for example, a dual WAN. Upgrade to the latest firmware then use the following CLI command:. W h e n you attempt to connect using FortiClient or in Web mode, you are returned to the login page, or you receive the following error message: Your user name or password may not be configured properly for this connection.

Y o u receive an error message stating: Change the address to that of the protected network instead. Y o u can connect remotely to the VPN tunnel but are unable to access the network resources. If the destination address is set to all, create a firewall address for the internal network. Change the destination address and attempt to connect remotely again.

This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient. U se r s are being assigned to the wrong IP range. If there is a conflict, the portal settings will be used. S e nd i n g tunnel statistics to FortiAnalyzer.

By default, logged events include tunnel-up and tunnel-down status events. The FortiGate does not, by default, send tunnel-stats information. Notify me of follow-up comments by email.

Notify me of new posts by email. This site uses Akismet to reduce spam. Learn how your comment data is processed. The following topics are included: When you are prompted for your user name and password: In the N a m e field, type your user name. In the P ass w o r d field, type your password.

W e b portal overview After logging in to the web portal, the remote user is presented with a web portal page similar to the following:

1. Creating an SSL VPN portal for remote users

Configuring SSL VPN web portals The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users. Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example, On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN. FortiClient: If you have not done so already. The SSL VPN web portal. This chapter explains how to use and configure the web portal features. This chapter is written for end users as well as administrators.