Fortinet black logo

Administration Guide

Configuring an SSL VPN connection

Configuring an SSL VPN connection

To configure an SSL VPN connection:
  1. On the Remote Access tab, click Configure VPN.
  2. Select SSL-VPN, then configure the following settings:

    Connection Name

    Enter a name for the connection.

    Description

    (Optional) Enter a description for the connection.

    Remote Gateway

    Enter the remote gateway's IP address/hostname. You can configure multiple remote gateways by separating each entry with a semicolon. If one gateway is not available, the VPN connects to the next configured gateway.

    Customize port

    Change the port. The default port is 443.

    Enable Single Sign On (SSO) for VPN Tunnel

    Enable SAML SSO for the VPN tunnel. For this feature to function, the administrator must have configured the necessary options on the Service Provider and Identity Provider. See SAML support for SSL VPN.

    Use external browser as user-agent for saml user authentication

    FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded login window. If a user has already authenticated using SAML in the default browser, they do not need to reauthenticate in the FortiClient built-in browser. Available if Enable Single Sign On (SSO) for VPN Tunnel is enabled. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

    Client Certificate

    Select Prompt on connect or the certificate from the dropdown list.

    Authentication

    Select Prompt on login or Save login. The Disable option is available when Prompt on connect or a certificate is configured for Client Certificate.

    Username

    If you selected Save login, enter the username to save for the login.

    Enable Dual-stack IPv4/IPv6 address

    Enable or disable FortiClient to establish a dual stack SSL VPN tunnel to allow both IPv4 and IPv6 traffic to pass through. See Dual stack IPv4 and IPv6 support for SSL VPN.

    +

    Select the add icon to add a new connection.

    -

    Select a connection and then select the delete icon to delete a connection.

  3. Click Save to save the VPN connection.
note icon

FortiClient supports split DNS tunneling for SSL VPN portals, which allows you to specify which domains the DNS server specified by the VPN resolves, while the DNS specified locally resolves all other domains. This requires configuring split DNS support in FortiOS. Microsoft Windows 8.1 does not support this feature.

note icon

If using FortiClient on a Windows Server 2016 machine, ensure that you disable IE Enhanced Security. Otherwise, SSL VPN may not function as configured.

Configuring an SSL VPN connection

To configure an SSL VPN connection:
  1. On the Remote Access tab, click Configure VPN.
  2. Select SSL-VPN, then configure the following settings:

    Connection Name

    Enter a name for the connection.

    Description

    (Optional) Enter a description for the connection.

    Remote Gateway

    Enter the remote gateway's IP address/hostname. You can configure multiple remote gateways by separating each entry with a semicolon. If one gateway is not available, the VPN connects to the next configured gateway.

    Customize port

    Change the port. The default port is 443.

    Enable Single Sign On (SSO) for VPN Tunnel

    Enable SAML SSO for the VPN tunnel. For this feature to function, the administrator must have configured the necessary options on the Service Provider and Identity Provider. See SAML support for SSL VPN.

    Use external browser as user-agent for saml user authentication

    FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded login window. If a user has already authenticated using SAML in the default browser, they do not need to reauthenticate in the FortiClient built-in browser. Available if Enable Single Sign On (SSO) for VPN Tunnel is enabled. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

    Client Certificate

    Select Prompt on connect or the certificate from the dropdown list.

    Authentication

    Select Prompt on login or Save login. The Disable option is available when Prompt on connect or a certificate is configured for Client Certificate.

    Username

    If you selected Save login, enter the username to save for the login.

    Enable Dual-stack IPv4/IPv6 address

    Enable or disable FortiClient to establish a dual stack SSL VPN tunnel to allow both IPv4 and IPv6 traffic to pass through. See Dual stack IPv4 and IPv6 support for SSL VPN.

    +

    Select the add icon to add a new connection.

    -

    Select a connection and then select the delete icon to delete a connection.

  3. Click Save to save the VPN connection.
note icon

FortiClient supports split DNS tunneling for SSL VPN portals, which allows you to specify which domains the DNS server specified by the VPN resolves, while the DNS specified locally resolves all other domains. This requires configuring split DNS support in FortiOS. Microsoft Windows 8.1 does not support this feature.

note icon

If using FortiClient on a Windows Server 2016 machine, ensure that you disable IE Enhanced Security. Otherwise, SSL VPN may not function as configured.