First off the best documentation can be found at docs.fortinet.com
Fortigate has changed a lot in 5.2, one of the things that has been changed heavily is how to setup the SSL VPN. Some of the ways it has changed:
– Portal creation
– Settings
– Firewall policies (for interfaces)
So to enable and create needed policies for the SSL VPN to function we will create a scope 10.99.255.0/24 for our VPN subnet, and make sure our two local networks are being sent to the clients routing table VIA Split tunneling – our local subnets 10.32.250.0/24 and 10.32.251.0/24.
First lets create the address object for our SSL VPN clients
Portal Config
In the portal we can configure Split tunnel, IP Pools, bookmarks etc.
You also have options to save the password and the allow more than one instance of that user to login.
VPN Settings
Then we will start to configure settings for our VPN. Notice that it is much different than 5.0. We configure the port, VPN client addresses and who can access the VPN from here. Before it was in many different places. Also notice at the bottom there is the users who can log into this device, and what portal they will see. You can totally customize this so that domain admins get one portal and restricted users get another.
You will see that after you configure what is needed, there is a red line that comes up and says “default users not configured” if you only have one profile then modify this. If you have multiple portals then add the most specific first, then make the standard catch all this profile.
Firewall Policies
Next we need to create firewall policies to allow traffic to and from our VPN. This is also a big change from 5.0 where you would need to create a default WAN-LAN policy and have the service be SSL, here that is really done in the vpn-settings page.
So lets allow VPN traffic to our LAN and make sure we are using the network address objects that are specified in the Split tunnel policy under the portal. Adding the local subnets basically allows VPN clients to have access to those networks. You could use Any here, I chose to use my local subnets.
Then create the opposite of that policy to allow traffic from the lan to access the SSL VPN interface.
One more thing is needed – We need a route to that SSL VPN subnet.
That should be pretty much it. There are some considerations that should always be taken into account. For one, always evaluate the security that you need. In this example I did not add any UTM or restrictions to who can access the VPN, and to what servers/addresses. Something else – Notice that in the VPN-Settings page, if you are doing Forticlient registration, you need to make sure that option is checked so registration can be used on that interface. One of the other things to think about is the amount of time users stay logged into the VPN.
My compliments to you for your excellent posts on Fortigate. I am a big fan of these devices and I frequently use their SSL VPN capabilities. Although I generally didn’t encountered any problems configuring the VPN SSL portal, there is still something I think I didn’t understand about the host name resolution in Web Portal mode (reverse proxy mode).
While the name resolution of the host in the internal network works well in tunnel mode (adding the IP addresses of the internal DNS/WINS server in the appropriate fields), I didn’t find a simple way to get the name resolution working in Web Portal mode, that means I cannot use domain names adding a link to the portal but only IP addresses.
Actually I found a solution adding the local domain name in the appropriate DNS field of the Fortigate, creating a DNS Database for the internal domain in the DNS Servers section on the Fortigate (Slave, Shadow, Authoritative), enabling recursion on the interface and enabling zone transfer on the Windows DNS server toward the Fortigate.
Sincerely I found this procedure quite tricky and I cannot think does not exist a simpler solution like in tunnel mode…
Have you any hints about it?
Thanks! and a great comment.
So when you use web portal mode who responds to DNS queries? Its the fortigate – Under system – network – dns tab you can set your DNS servers and domain name for the device itself. this will make queries through the portal or explicit proxy work with internal names. Did that answer the question? If not I can help find the answer.
Thank you for your suggestion.
It matches exactly my first implementation (setting the internal DNS server as the first DNS entry in System-Network-DNS) and it works, but sincerely I don’t like too much this choice.
Considering the Fortigate as a security gateway I think it is preferable to use it as a dns proxy for the internal dns server, so in such configuration I cannot specify the internal DNS server as the system dns of the fortigate…..
I’ve got mine all up and running now except we also have a Site to Site IPSec VPN tunnel and I would like the SSL VPN users to be able to reach the other site. I’ve created additional policies at both ends to allow the SSL VPN subnet to reach the other site subnet and vice-versa but no joy so far. Do you have a config with a similar situation?
Thanks Justin, I have sent you a Skype request as I’m in the UK. Far end of the VPN tunnel is a Cisco ASA for which I used the ASA VPN wizard. Let me know a good time and I can try to get everything ready on screen.
Hi,
I’ve got this working now. It was getting the right combination of policies and adding in the extra Phase 2 / quick-mode selector settings to match the SSL VPN user range. Thanks for the offer of help.
I have been cracking my head, and even after this I cannot ping internal network IP addresses when connected to SSL tunnel… Could I provide more info regarding my config? My static route has no gateway IP…which I find suspicious.
Thanks so much, I have sent you an invite. I am going to setup a test unit and configure as far as possible then contact you if that’s alright. Once I know what’s happening I’ll make further changes on live unit; as I’m working on it remotely and if something goes down client won’t be happy.
Hi There. I follow your sample and able to setup the ssl vpn split tunnel. but all the internal system cannot ping the remote computer (ssl remote computer). I also the gateway address in the remote is empty (nothing there). What do i need to add to make the lan computer able to ping remote computer
Let me review the entry. You should not have a gateway in your IP settings under the SSL-VPN config. Is your remote PC local firewall disabled during the test?
I was able to configure following your instructions. Thanks a lot. Excellent Job!
My compliments to you for your excellent posts on Fortigate. I am a big fan of these devices and I frequently use their SSL VPN capabilities. Although I generally didn’t encountered any problems configuring the VPN SSL portal, there is still something I think I didn’t understand about the host name resolution in Web Portal mode (reverse proxy mode).
While the name resolution of the host in the internal network works well in tunnel mode (adding the IP addresses of the internal DNS/WINS server in the appropriate fields), I didn’t find a simple way to get the name resolution working in Web Portal mode, that means I cannot use domain names adding a link to the portal but only IP addresses.
Actually I found a solution adding the local domain name in the appropriate DNS field of the Fortigate, creating a DNS Database for the internal domain in the DNS Servers section on the Fortigate (Slave, Shadow, Authoritative), enabling recursion on the interface and enabling zone transfer on the Windows DNS server toward the Fortigate.
Sincerely I found this procedure quite tricky and I cannot think does not exist a simpler solution like in tunnel mode…
Have you any hints about it?
Thanks! and a great comment.
So when you use web portal mode who responds to DNS queries? Its the fortigate – Under system – network – dns tab you can set your DNS servers and domain name for the device itself. this will make queries through the portal or explicit proxy work with internal names. Did that answer the question? If not I can help find the answer.
Thank you for your suggestion.
It matches exactly my first implementation (setting the internal DNS server as the first DNS entry in System-Network-DNS) and it works, but sincerely I don’t like too much this choice.
Considering the Fortigate as a security gateway I think it is preferable to use it as a dns proxy for the internal dns server, so in such configuration I cannot specify the internal DNS server as the system dns of the fortigate…..
Thanks for writing this up. Great article.
I’ve got mine all up and running now except we also have a Site to Site IPSec VPN tunnel and I would like the SSL VPN users to be able to reach the other site. I’ve created additional policies at both ends to allow the SSL VPN subnet to reach the other site subnet and vice-versa but no joy so far. Do you have a config with a similar situation?
Hey Mark,
I have done this many times.
You will need a route for both ends, policies from the VPN interface to to SSL.Root, and split tunnel route for this network.
I would be happy to help – my number is 502-592-7189. We can do a remote screen share and get it working.
Thanks Justin, I have sent you a Skype request as I’m in the UK. Far end of the VPN tunnel is a Cisco ASA for which I used the ASA VPN wizard. Let me know a good time and I can try to get everything ready on screen.
Hi,
I’ve got this working now. It was getting the right combination of policies and adding in the extra Phase 2 / quick-mode selector settings to match the SSL VPN user range. Thanks for the offer of help.
so i can can connect to the ssl portal, but it only loads the default portal even after ive created a custom portal.
even after ive configured a specific user for a specifc portal
Sounds like it might not be specified under – vpn -ssl -settings, then matched to your user group. Make sure its above the default, all users portal.
Please let me know if you have any more questions. I would be happy to do a screenshare session, my skype is justin.cottrell7.
I have been cracking my head, and even after this I cannot ping internal network IP addresses when connected to SSL tunnel… Could I provide more info regarding my config? My static route has no gateway IP…which I find suspicious.
Hi EJ!
So you have made sure that your networks have been pushed through firewall policy? Routes are good, and firewall policies are allowing traffic?
my skype is justin.cottrell7 and my phone is 502-592-7189. Feel free to call me.
Thanks so much, I have sent you an invite. I am going to setup a test unit and configure as far as possible then contact you if that’s alright. Once I know what’s happening I’ll make further changes on live unit; as I’m working on it remotely and if something goes down client won’t be happy.
Great,let me know when you are ready.
Hi There. I follow your sample and able to setup the ssl vpn split tunnel. but all the internal system cannot ping the remote computer (ssl remote computer). I also the gateway address in the remote is empty (nothing there). What do i need to add to make the lan computer able to ping remote computer
Let me review the entry. You should not have a gateway in your IP settings under the SSL-VPN config. Is your remote PC local firewall disabled during the test?