Fortinet white logo
Fortinet white logo

Administration Guide

SSL VPN best practices

SSL VPN best practices

Securing remote access to network resources is a critical part of security operations. SSL VPN allows administrators to configure, administer, and deploy a remote access strategy for their remote workers. When not in use, SSL VPN can be disabled.

Choosing the correct mode of operation and applying the proper levels of security are integral to providing optimal performance and user experience, and keeping your user data safe.

  • Tunnel mode: Establish an SSL VPN tunnel using FortiClient to support a wide range of applications and provide a transparent end user experience that is easy to configure and administer.
  • Web mode: Provide clientless network access to a limited set of applications using an SSL VPN Web Portal that is accessed using a web browser over HTTPS.

The below guidelines outline selecting the correct SSL VPN mode for your deployment and employing best practices to ensure that your data are protected.

Information about SSL VPN throughput and maximum concurrent users is available on your device's datasheet; see Next-Generation Firewalls Models and Specifications.

Note

By default, SSL VPN tunnel mode settings and the VPN > SSL-VPN menus are hidden from the GUI.

To enable SSL VPN feature visibility in the GUI, go to System > Feature Visibility, enable SSL-VPN, and click Apply.

To enable SSL VPN feature visibility in the CLI, enter:

config system settings
    set gui-sslvpn enable
end
Note

By default, SSL VPN web mode settings are disabled and hidden from the GUI and the CLI.

To enable SSL VPN web mode, enter:

config system global
    set sslvpn-web-mode enable
end

If this setting is disabled, even though SSL VPN tunnel mode can be correctly configured, when trying to access SSL VPN web mode using the SSL VPN portal by navigating to the listening IP address, domain, and port using a web browser, an error message will appear.

Note

Alternative remote access solutions in FortiOS are IPsec VPN and ZTNA.

Note

Ensure you always upgrade your FortiGate to the latest FortiOS firmware version. This ensures you are running the latest SSL VPN security enhancements to protect your VPN deployment.

Tunnel mode

In tunnel mode, the SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate. SSL VPN tunnel mode provides an easy-to-use encrypted tunnel that will traverse almost any infrastructure.

The FortiGate establishes a tunnel with the client, and assigns an IP address to the client from a range of reserved addresses. While the underlying protocols are different, the outcome is very similar to an IPsec VPN tunnel. All client traffic is encrypted, allowing the users and networks to exchange a wide range of traffic, regardless of the application or protocols.

Use this mode if you require:

  • A wide range of applications and protocols to be accessed by the remote client.

  • No proxying is done by the FortiGate.

  • Straightforward configuration and administration, as traffic is controlled by firewall policies.

  • A transparent experience for the end user. For example, a user that needs to RDP to their server only requires a tunnel connection; they can then use the usual client application, like Windows Remote Desktop, to connect.

Full tunneling forces all traffic to pass through the FortiGate (see SSL VPN full tunnel for remote user). Split tunneling only routes traffic to the designated network through the FortiGate (see SSL VPN split tunnel for remote user).

Note

Avoid setting all as the destination address in a firewall policy when the user or group associated with that policy is using a portal with Split tunneling enabled. Setting all as the destination address will cause portal to function as a full tunnel, potentially leading to misconfigurations and complicating troubleshooting efforts.

Limitations

Tunnel mode requires that the FortiClient VPN client be installed on the remote end. The standalone FortiClient VPN client is free to use, and can accommodate SSL VPN and IPsec VPN tunnels. For supported operating systems, see the FortiClient Technical Specifications.

SSL VPN encrypts traffic using TLS and uses TCP as the transport layer. Therefore, SSL VPN is subject to retransmission issues that can occur with TCP-in-TCP that result in lower VPN throughput. For optimal SSL VPN throughput, consider enabling DTLS support. See DTLS support.

For the highest VPN throughput, consider configuring dialup IPsec VPN instead. See FortiClient as dialup client.

Web mode

Web-only mode provides clientless network access using a web browser with built-in SSL encryption. Users authenticate to FortiGate's SSL VPN Web Portal, which provides access to network services and resources, including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH. When a user starts a connection to a server from the web portal, FortiOS proxies this communication with the server. All communication between the FortiGate and the user continues to be over HTTPS, regardless of the service that is being accessed.

The clipboard can be disabled for SSL VPN web mode RDP/VNC connections, see Disable the clipboard in SSL VPN web mode RDP connections.

Use this mode if you require:

  • A clientless solution in which all remote services are access through a web portal.
  • Tight control over the contents of the web portal.
  • Limited services provided to the remote users.
Note

Do not set the virtual IP addresses as the destination address in a firewall policy when using SSL VPN web mode, as it will result in no destination address being accessible. Please note that the FortiOS SSL VPN web mode does not support mapping the virtual IP to the actual one.

Limitations

  • Multiple applications and protocols are not supported.
  • VNC and RDP access might have limitations, such as certain shortcut keys not being supported.
  • In some configurations RDP can consume a significant amount of memory and CPU time.
  • Firewall performance might decrease as remote usage increases.
  • Highly customized web pages might not render correctly.

Security best practices

See SSL VPN security best practices for more information.

SSL VPN best practices

SSL VPN best practices

Securing remote access to network resources is a critical part of security operations. SSL VPN allows administrators to configure, administer, and deploy a remote access strategy for their remote workers. When not in use, SSL VPN can be disabled.

Choosing the correct mode of operation and applying the proper levels of security are integral to providing optimal performance and user experience, and keeping your user data safe.

  • Tunnel mode: Establish an SSL VPN tunnel using FortiClient to support a wide range of applications and provide a transparent end user experience that is easy to configure and administer.
  • Web mode: Provide clientless network access to a limited set of applications using an SSL VPN Web Portal that is accessed using a web browser over HTTPS.

The below guidelines outline selecting the correct SSL VPN mode for your deployment and employing best practices to ensure that your data are protected.

Information about SSL VPN throughput and maximum concurrent users is available on your device's datasheet; see Next-Generation Firewalls Models and Specifications.

Note

By default, SSL VPN tunnel mode settings and the VPN > SSL-VPN menus are hidden from the GUI.

To enable SSL VPN feature visibility in the GUI, go to System > Feature Visibility, enable SSL-VPN, and click Apply.

To enable SSL VPN feature visibility in the CLI, enter:

config system settings
    set gui-sslvpn enable
end
Note

By default, SSL VPN web mode settings are disabled and hidden from the GUI and the CLI.

To enable SSL VPN web mode, enter:

config system global
    set sslvpn-web-mode enable
end

If this setting is disabled, even though SSL VPN tunnel mode can be correctly configured, when trying to access SSL VPN web mode using the SSL VPN portal by navigating to the listening IP address, domain, and port using a web browser, an error message will appear.

Note

Alternative remote access solutions in FortiOS are IPsec VPN and ZTNA.

Note

Ensure you always upgrade your FortiGate to the latest FortiOS firmware version. This ensures you are running the latest SSL VPN security enhancements to protect your VPN deployment.

Tunnel mode

In tunnel mode, the SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate. SSL VPN tunnel mode provides an easy-to-use encrypted tunnel that will traverse almost any infrastructure.

The FortiGate establishes a tunnel with the client, and assigns an IP address to the client from a range of reserved addresses. While the underlying protocols are different, the outcome is very similar to an IPsec VPN tunnel. All client traffic is encrypted, allowing the users and networks to exchange a wide range of traffic, regardless of the application or protocols.

Use this mode if you require:

  • A wide range of applications and protocols to be accessed by the remote client.

  • No proxying is done by the FortiGate.

  • Straightforward configuration and administration, as traffic is controlled by firewall policies.

  • A transparent experience for the end user. For example, a user that needs to RDP to their server only requires a tunnel connection; they can then use the usual client application, like Windows Remote Desktop, to connect.

Full tunneling forces all traffic to pass through the FortiGate (see SSL VPN full tunnel for remote user). Split tunneling only routes traffic to the designated network through the FortiGate (see SSL VPN split tunnel for remote user).

Note

Avoid setting all as the destination address in a firewall policy when the user or group associated with that policy is using a portal with Split tunneling enabled. Setting all as the destination address will cause portal to function as a full tunnel, potentially leading to misconfigurations and complicating troubleshooting efforts.

Limitations

Tunnel mode requires that the FortiClient VPN client be installed on the remote end. The standalone FortiClient VPN client is free to use, and can accommodate SSL VPN and IPsec VPN tunnels. For supported operating systems, see the FortiClient Technical Specifications.

SSL VPN encrypts traffic using TLS and uses TCP as the transport layer. Therefore, SSL VPN is subject to retransmission issues that can occur with TCP-in-TCP that result in lower VPN throughput. For optimal SSL VPN throughput, consider enabling DTLS support. See DTLS support.

For the highest VPN throughput, consider configuring dialup IPsec VPN instead. See FortiClient as dialup client.

Web mode

Web-only mode provides clientless network access using a web browser with built-in SSL encryption. Users authenticate to FortiGate's SSL VPN Web Portal, which provides access to network services and resources, including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH. When a user starts a connection to a server from the web portal, FortiOS proxies this communication with the server. All communication between the FortiGate and the user continues to be over HTTPS, regardless of the service that is being accessed.

The clipboard can be disabled for SSL VPN web mode RDP/VNC connections, see Disable the clipboard in SSL VPN web mode RDP connections.

Use this mode if you require:

  • A clientless solution in which all remote services are access through a web portal.
  • Tight control over the contents of the web portal.
  • Limited services provided to the remote users.
Note

Do not set the virtual IP addresses as the destination address in a firewall policy when using SSL VPN web mode, as it will result in no destination address being accessible. Please note that the FortiOS SSL VPN web mode does not support mapping the virtual IP to the actual one.

Limitations

  • Multiple applications and protocols are not supported.
  • VNC and RDP access might have limitations, such as certain shortcut keys not being supported.
  • In some configurations RDP can consume a significant amount of memory and CPU time.
  • Firewall performance might decrease as remote usage increases.
  • Highly customized web pages might not render correctly.

Security best practices

See SSL VPN security best practices for more information.