Fortinet white logo
Fortinet white logo

Cookbook

Configuring the SSL-VPN

Configuring the SSL-VPN

To configure the SSL-VPN:
  1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
  2. Toggle Enable Split Tunneling so that it is disabled.

  3. Go to VPN > SSL-VPN Settings.
  4. Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.

    Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.

    Under Authentication/Portal Mapping, select Create New.

    Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

  5. Then go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
  6. Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).

    Set Source to the SSLVPNGroup user group and the all address.

    Set Destination to all, Schedule to always, Service to ALL, and enable NAT.

Configuring the SSL-VPN

Configuring the SSL-VPN

To configure the SSL-VPN:
  1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
  2. Toggle Enable Split Tunneling so that it is disabled.

  3. Go to VPN > SSL-VPN Settings.
  4. Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.

    Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.

    Under Authentication/Portal Mapping, select Create New.

    Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

  5. Then go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
  6. Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).

    Set Source to the SSLVPNGroup user group and the all address.

    Set Destination to all, Schedule to always, Service to ALL, and enable NAT.