Creating a User Group
To create users who will be granted remote access and who will be able to use the SSL VPN:
- Go to User & Authentication → User Definition → Create New.
- Create a local user, specify the username and password, and provide contact information if necessary.
- Combine the created users into a group.
- To create a user group, go to User & Authentication → User Groups → Create New.
- Specify the group name, Firewall type and group members created earlier.
Creating the SSL VPN Tunnel
To create an SSL VPN tunnel:
- Go to VPN → SSL-VPN Portal → Create New.
- Specify a name, turn on Tunnel Mode.
- In the Source IP Pools field, specify the pool of IP addresses (IP Range) that will be assigned to remote users. You can add a pool created by default (SSLVPN_TUNNEL_ADDR1) or your own configured in the same way.
In the portal settings, you can also enable host checks, restrict specific OS versions, and set other parameters for client connection.
To create a split tunnel where traffic is routed only to the destined network:
- Enable option Enable Split Tunneling.
- Select Routing Address to define the destination network that will be routed through the tunnel, that is, these addresses will be accessible by remote clients.
- Click + and select an address from the existing ones.
- To create an address in the pop-up window, click Create or Policy & Objects → Addresses → Create New.
If you need a full mode tunnel where all traffic from remote clients will pass through FortiGate, you need to disable the Enable Split Tunneling parameter.
Another setting is the Enable Web Mode parameter which allows you to enable web mode. Here you can also select:
- the name of the portal (the Portal Message field);
- other settings.
The User Bookmarks option allows users to create their own bookmarks. In the Predefined Bookmarks field, you can create bookmarks centrally for all users. For example, you can create a bookmark for connecting to a remote desktop using the RDP protocol. This completes the configuration of the SSL Tunnel itself.
General SSL VPN Settings
To configure general SSL VPN settings:
- Go to VPN → SSL-VPN Settings.
- Specify the “listening” interface – the external interface to which connections from remote users will come (in this example, wan1), and the port through which they will connect. Please note that when defining a port, it can be the same as others that are designated for administrative access. For example, the default port is 443, which may conflict with the HTTPS port, and FortiGate will display the following message:
- Set the Restrict Access parameter to Allow access from any hosts or, if you need to restrict access, click Limit access to specific hosts and grant access to specific hosts.
- Specify the idle period after which the user will be forced to disconnect from the VPN by enabling the Idle Logout parameter and specifying the period in the Inactive For parameter (300 seconds by default).
- Select the Server Certificate. This certificate is used for authentication and for encrypting SSL VPN traffic. The default one is Fortinet_Factory. It is possible to work with the default built-in certificate, but users will receive a warning that the certificate is invalid, since there is no CA certificate in the certificate store that signed the current SSL certificate. We recommend purchasing a certificate for your server and upload it for authentication.
Adding a Certificate for Authentication
To add a cerrificate:
- Go to System → Certificates.
- Ensure that Certificates is enabled in System → Feature Visibility
- Select Import → Local Certificate.
- Set Type to Certificate in the new window.
- Choose Certificate file and the Key file for your certificate, and enter the Password.
- The server certificate now appears in the list of Certificates.
- Install the CA certificate — the certificate that signs both the server certificate and the user certificate. It is used, for example, to authenticate SSL VPN users. Select *Import → CA Certificate** in the System → Certificates section.
- Set Type — File in the new window and upload the certificate file.
- The CA certificate now appears in the list of External CA Certificates.
Configure PKI users and a user group. To use certificate authentication, use the CLI to create PKI users:
config user peer edit pki01 set ca CA_Cert_Name set subject User_Name next end
Ensure that the subject matches the name of the user certificate. When you create a PKI user, a new menu is added to the GUI.
Go to User & Authentication → PKI to see the new user.
Click Edit to edit the user account and enable Two-factor authentication.
Ensure that this user is in the SSL VPN user group that you created earlier (see Creating a User Group).
You can also verify remote users certificates by enabling Require Client Certificate. In the Authentication/Portal Mapping section, you need to map the SSL portal to a user group. By default, all users have access to the same portals. This table allows you to map different portals to different user groups. Create a new entry in the table by clicking Create New and defining the portal and user group. Once configured, click Apply and start creating your security policy.
In order for users to successfully connect to our VPN and have the necessary access, you need to create a policy that allows access from the ssl.root interface to the local network interface:
- Go to Policy & Objects → Firewall Policy → Create New.
- Fill in the firewall policy name. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
- Set the outgoing interface. In this example, it is the internal lan interface.
- Specify the previously created user group (SSLVPNGROUP in this example) and the all address object in the Source field.
- Select the required local network in the Destination field.
- Configure any remaining options as desired and save the policy.
You can download FortiClient for free on the official website. FortiClient is compatible with multiple platforms that offer free SSL VPNs. You can also purchase a license for the client, which provides additional features and technical support. The specifics of use and compatibility can also be found on the official website in the Technical Specification section.
To configure a connection on the client:
- Go to the REMOTE ACCESS section and select SSL-VPN.
- Specify the connection name, FortiGate IP address, and the port through which the client connects (it was configured at the General SSL VPN settings).
- If necessary, specify the certificates and authentication parameters (either request a username and password each time you connect, or save the username).
- Save this connection.
- Try to connect with the connection name, username, and password.
- If the connection is successful, the following window will appear:
If earlier the SSL-portal had web mode enabled, then you can connect using the browser or use the created bookmark without using FortiClient:
- Enter your FortiGate address and the port through which the connection is available in the address bar (see the General SSL VPN settings step).
- Log in with your username and password.
- If the connection is successful, the following window with the bookmark will appear.