SSL VPN
SSL VPN configurations consist of one <options>
section, followed by one or more VPN <connection>
sections:
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>0</dnscache_service_control>
<!-- 0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange -->
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>
<preferred_dtls_tunnel>1</preferred_dtls_tunnel>
<block_ipv6>0</block_ipv6>
<no_dhcp_server_route>0</no_dhcp_server_route>
<no_dns_registration>0</no_dns_registration>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<keep_connection_alive>1</keep_connection_alive>
<show_auth_cert_only>1</show_auth_cert_only>
</options>
<connections>
<connection>
<name>SSLVPN_Name</name>
<description>Optional_Description</description>
<server>ssldemo.fortinet.com:10443</server>
<username>Encrypted/NonEncrypted_UsernameString</username>
<single_user_mode>0</single_user_mode>
<disclaimer_msg></disclaimer_msg>
<redundant_sort_method>0</redundant_sort_method>
<sso_enabled>1</sso_enabled>
<use_external_browser>1</use_external_browser>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<machine>1</machine>
<dual_stack>0</dual_stack>
<keep_running>0</keep_running>
<ui>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>0</save_username>
</ui>
<password>Encrypted/NonEncrypted_PasswordString</password>
<certificate/>
<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>
<prompt_certificate>0</prompt_certificate>
<prompt_username>0</prompt_username>
<fgt>1</fgt>
<on_connect>
<script>
<os>windows</os>
<script>
<![CDATA[test]]>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<![CDATA]]>
</script>
</script>
</on_disconnect>
<traffic_control>
<enabled>1</enabled>
<mode>2</mode>
<enable_local_lan>1</enable_local_lan>
<apps>
<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>
<app>%appdata%\Zoom\bin\Zoom.exe</app>
<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>
</apps>
<fqdns>
<fqdn>webex.com</fqdn>
<fqdn>gotomeeting.com</fqdn>
<fqdn>youtube.com</fqdn>
</fqdns>
</traffic_control>
<tags>
<allowed>NoVuln</allowed>
<prohibited>CriticalVuln</prohibited>
</tags>
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
The following table provides the SSL VPN XML tags, as well as the descriptions and default values where applicable.
The <connections>
XML tag may contain one or more <connection>
elements. Each <connection>
has the following:
- Information used to establish an SSL VPN connection
- on_connect: a script to run right after a successful connection
- on_disconnect: a script to run just after a disconnection
The following table provides VPN connection XML tags, the description, and the default value (where applicable).
XML tag |
Description |
Default value |
---|---|---|
<name> |
VPN connection name. |
|
<description> |
Optional description to identify the VPN connection. |
|
<server> |
SSL server IP address or FQDN, along with the port number as applicable. |
Default port number: 443
|
<username> |
Encrypted or non-encrypted username on SSL server. |
|
<single_user_mode> |
Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer. Boolean value: |
0 |
<disclaimer_msg> |
Enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection. |
|
<redundant_sort_method> |
How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.
|
0 |
<sso_enabled> |
Enable SAML SSO for the VPN tunnel. For this feature to function, the administrator must have configured the necessary options on the Service Provider and Identity Provider. See SAML support for SSL VPN. |
|
<use_external_browser> |
Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection. |
|
<warn_invalid_server_certificate> |
Display a warning message if the server certificate is invalid. EMS automatically copies this setting to each SSL VPN tunnel. Boolean value: |
0 |
<machine> |
When this setting is 1, FortiClient can connect to the tunnel without user interaction. See Boolean value: |
|
<dual_stack> |
Enable or disable FortiClient to establish a dual stack SSL VPN tunnel to allow both IPv4 and IPv6 traffic to pass through. See Dual stack IPv4 and IPv6 support for SSL VPN. The following summarizes what occurs when dual stack settings differ between FortiClient and FortiOS:
Boolean value: |
|
<keep_running> |
Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection. |
0 |
<password> |
Given user's encrypted or non-encrypted password. |
|
The XML sample provided above only shows XML configuration when using a username and password. See Sample XML using certificate authentication for example of XML configuration for certificate authentication. |
||
Elements for common name of the certificate for VPN logon. |
||
<match_type> |
Enter the type of matching to use:
|
|
<pattern> |
Enter the pattern to use for the type of matching. |
|
Elements about the issuer of the certificate for VPN logon. |
||
<match_type> |
Enter the type of matching to use:
|
|
<pattern> |
Enter the pattern to use for the type of matching. |
|
<allow_standard_user_use_system_cert> |
When this setting is Boolean value: |
0 |
<prompt_certificate> |
Request a certificate during connection establishment. Boolean value: |
0 |
<prompt_username> |
Request a username. Boolean value: |
1 |
<fgt> |
Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is When this setting is Boolean value: |
|
The FortiGate sets the elements of the |
||
<show_remember_password> |
Display the Save Password checkbox in the console. Boolean value: |
|
<show_alwaysup> |
Display the Always Up checkbox in the console. Boolean value: |
|
<show_autoconnect> |
Display the Auto Connect checkbox in the console. Boolean value: |
|
<save_username> |
Save and display the last username used for VPN connection. Boolean value: |
|
|
||
<enabled> |
To enable the feature, enter Boolean value: |
|
<mode> |
Enter |
|
<app> |
Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface. In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application. |
|
<enable_local_lan> |
Enable access to local resources while an application-based split tunnel with an exclusion rule configured is up. If this option is disabled, access to local resources may be denied when an application-based split tunnel with an exclusion rule configured is up. Boolean value: |
1 |
<fqdn> |
Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. In the example, youtube.com equals youtube.com and *.youtube.com. After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel. |
|
|
|
|
<allowed> |
Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel. |
|
<prohibited> |
Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel. |
|
The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones. |
Sample XML using certificate authentication
<sslvpn>
...
<connections>
<connection>
...
<certificate>
<common_name>
<match_type>
<![CDATA[wildcard]]>
</match_type>
<pattern>
<![CDATA[*]]>
</pattern>
</common_name>
<issuer>
<match_type>
<![CDATA[simple]]>
</match_type>
<pattern>
<![CDATA[Certificate Authority]]>
</pattern>
</issuer>
</certificate>
...
</connection>
</connections>
...
<sslvpn>
This is a balanced but incomplete XML configuration fragment. It includes all closing tags, but omits some important elements to complete the configuration.
See the first XML sample in this topic for a more complete XML configuration example using a username and password for authentication.
The <on_connect>
and <on_disconnect>
tags both have very similar tag structure:
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[
]]>
</script>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[
]]>
</script>
</script>
</script>
</on_disconnect>
The following table provides CDATA XML tags, the description, and the default value (where applicable):
XML tag |
Description |
Default value |
---|---|---|
<os> |
The OS for which the script is written. Enter one of the following: |
|
<script> |
The MS DOS batch or macOS shell script to run. |
|
<![CDATA[ ]]> |
Wraps the scripts in CDATA elements. |
|
Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel. Wherever you write Wherever you write Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present. |
The example scripts above show a script that mounts several network drives after an SSL connection is established. The drives are unmounted with the corresponding scripts in the <on_disconnect>
XML tag.
The <on_connect>
and <on_disconnect>
scripts are optional.