SSL VPN For Remote Users - Fortinet Cookbook

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path

5.2.4 / FORTIOS 5.2.5+ / VPNS

SSL VPN for remote users
Posted on June 13, 2014 by Keith Leroux­vpn­for­remote­users/ 1/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

Share this post:

This example provides remote users with access to the corporate network using SSL VPN and
connection to the Internet through the corporate FortiGate unit. During the connecting phase, the
FortiGate unit will also verify that the remote user’s antivirus software is installed and current.

Watch the video

Find this recipe for other FortiOS versions

5.2 | 5.4 | 5.6­vpn­for­remote­users/ 2/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

1. Creating an SSL VPN portal for remote users

Go to VPN > SSL > Portals.

Edit the full-access portal. The full-access portal allows the use of
tunnel mode and/or web mode. In this scenario we are using both

Enable Split Tunneling is not enabled, so that all Internet trafៜ�c

will go through the FortiGate unit and be subject to the corporate
security proៜ�les.

If you do Enable Split Tunneling, trafៜ�c not intended for the  

corporate network does not traverse the tunnel, and consequently
is not subject to the corporate security proៜ�les.

In this case, you are prompted to choose a Routing Address. The

Routing Address is the address that your corporate network is
using (in this case, Local LAN).

In short, trafៜ�c intended for the Routing Address will not be split
from the tunnel.

Select Create New in the Predeៜ�ned Bookmarks area to add a

bookmark for a remote desktop link/connection.

Bookmarks are used as links to internal network resources.

You must include a username and password. You will create this
user in the next step, so be sure to use the same credentials.

2. Creating a user and a user group

Go to User & Device > User > User Deៜ�nition.

Add a remote user with the User Creation Wizard (in the example,
twhite, with the same credentials used for the predeៜ�ned
bookmark).­vpn­for­remote­users/ 3/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

Go to User & Device > User > User Groups.

Add the user twhite to a user group for SSL VPN connections.

3. Adding an address for the local network

Go to Policy & Objects > Objects > Addresses.

Add the address for the local network. Set Subnet / IP Range to the
local subnet and set Interface to an internal port.

4. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges.

Under Authentication/Portal Mapping, add the SSL VPN user


5. Adding security policies for access to the Internet and
internal network

Go to Policy & Objects > Policy > IPv4.­vpn­for­remote­users/ 4/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

Add a security policy allowing access to the internal network

through the ssl.root VPN tunnel interface.

Set Incoming Interface to ssl.root.

Set Source Address to all and select the Source User group you
created in step 2.

Set Outgoing Interface to the local network interface so that the

remote user can access the internal network.

Set Destination Address to all, enable NAT, and conៜ�gure any

remaining ៜ�rewall and security options as desired.

Add a second security policy allowing SSL VPN access to the


For this policy, Incoming Interface is set to ssl.root and Outgoing

Interface is set to wan1.

6. Setting the FortiGate unit to verify users have current
AntiVirus software

Go to System > Status > Dashboard. config vpn ssl web portal 

  edit full‐access 
In the CLI Console widget, enter the commands on the right to     set host‐check av 
enable the host to check for compliant AntiVirus software on the   end 
remote user’s computer. end

7. Results

Log into the portal using the credentials you created in step 2.

The FortiGate unit performs the host check.­vpn­for­remote­users/ 5/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

After the check is complete, the portal appears.*

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL
users. The Web Application description indicates that the user is
using web mode.

Go to Log & Report > Trafៜ�c Log > Forward Trafៜ�c and view the
details for the SSL entry.

In the Tunnel Mode widget, select Connect to enable the tunnel.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL

The tunnel description indicates that the user is using tunnel mode.

Go to Log & Report > Trafៜ�c Log > Forward Trafៜ�c and view the
details for the SSL entry.­vpn­for­remote­users/ 6/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

Go to Log & Report > Trafៜ�c Log > Forward Trafៜ�c.

Internet access occurs simultaneously through the FortiGate unit.

Select an entry to view more information.


SSL VPN for remote users (PDF)

For further reading, check out Basic SSL VPN

conៜ�guration in the FortiOS 5.2 Handbook.

About   Latest Posts

Keith Leroux
Technical Writer at Fortinet

Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a
Bachelor's degree from Queen's University in English Language and Literature, and a
graduate certiៜ�cate in Technical Writing from Algonquin College. He spent a year teaching
ESL in South Korea. Annyeong!

Was this helpful?  Yes      No

 RDP, SSL VPN­vpn­for­remote­users/ 7/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

Leave a Reply

14 Comments on "SSL VPN for remote users"

Connect with:

Powered by OneAll Social Login

Notify of new follow-up comments Email ›

Join the discussion

Chris Mahoney

Also you might want to add that under System > Settings you need to change the
listening HTTPS port from 443 to 4433 or 4444 or something else than 443. This
will prevent the con៙�ict of the 443 trafៜ�c going to the management login.

 REPLY  November 16, 2016 4:05 pm 

Adam Bristow

Hello Chris,

Thank you for your comment! This can also be remedied by changing the
Listen on Port ៜ�eld to 10443 under VPN > SSL > Settings (in step 4). I will
make the change immediately.

If you’d like, check out the more recent 5.4 version of this recipe here:

Best regards,

Adam­vpn­for­remote­users/ 8/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

 REPLY  December 15, 2016 4:12 pm

Juliet Bell

Using VPN to access work computer from home is secured and good, but VPN is
costly, Instead, I would recommend use of on premise remote support solution
such as R-HUB remote support servers. It works from behind your ៜ�rewall and is
only one time cost.

 REPLY  June 25, 2016 1:34 am


Is it possible to use an alternate IP on wan1 interface?

 REPLY  October 22, 2015 4:49 am 

Victoria Martin

Hi Matthias,

If you mean use a different IP than what is in the recipe, then yes, you
should be using the real IP of your wan1 interface. The IPs in our recipes
are just used as examples and are almost always IP addresses that are
restricted for private networks (172.20.x.x, 192.168.x.x, and 10.10.x.x).

Please let me know if you meant something different.

 REPLY  October 22, 2015 10:56 am

Toshi Esumi

Since the handbook 5.2 contained wrong info especially for the policies, I opened a
TT#1526539 and I was directed to this page. It works but the tech conៜ�rmed NAT
was never needed on the policy.

 REPLY  October 14, 2015 4:19 pm ­vpn­for­remote­users/ 9/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

Keith Leroux

Hello Toshi,

I plan to update the 5.2 handbook chapter as soon as possible. Thank you
for your comment!

 REPLY  October 14, 2015 5:12 pm


Hi Keith,
Thank you for the recipe.
Is it possible to limit access for speciៜ�c SSL VPN portal from speciៜ�c hosts?

 REPLY  June 2, 2015 5:03 am 

Keith Leroux

Hi Petr,

If I understand you correctly, I think all you need to do is create separate

portals for different user groups (VPN > SSL > Portals > Create New).

More information is available here:

 REPLY  June 3, 2015 1:37 pm 


Hi Keith,

We have separate portals for different usergroup.

There is “RestrictAccess“ setting in webgui. Unfortunately it is global
setting for ALL SSL VPN.
I would like to restrict speciៜ�c user group SSL access from speciៜ�c
Is it possible?­vpn­for­remote­users/ 10/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook

 REPLY  June 12, 2015 7:12 am 

Keith Leroux

Hi Petr,

Perhaps you could try adding device authentication to your SSL

VPN policy?

 REPLY  July 7, 2015 3:32 pm 


Hi Keith,

It is not possible according to
rtiOS/fortigate-whats-new-52/ssl.htm#top “Also, source
devices are not applicable to SSL VPN ៜ�rewall policies.”
But I have opposite experience.

 REPLY  November 13, 2015 3:43 am

Dan Farrell

This does not include the option for “routing address” and the handbook does not
describe it. This is a feature that has been added without deៜ�nition, description, or
example. Please add something about this.

 REPLY  March 26, 2015 1:43 pm 

Keith Leroux

Thanks Dan! I’ve updated the recipe to describe Routing Address. The SSL
VPN Handbook chapter will be updated shortly.


 REPLY  June 3, 2015 12:00 pm­vpn­for­remote­users/ 11/12
4/16/2017 SSL VPN for remote users ­ Fortinet Cookbook


© 2017 Fortinet­vpn­for­remote­users/ 12/12

You might also like