Fortinet black logo

Administration Guide

FortiGate SSL VPN configuration

FortiGate SSL VPN configuration

The SSL VPN configuration is comprised of these parts:

  • SSL VPN portal
  • SSL VPN realm
  • SSL VPN settings
  • Firewall policy
To configure the SSL VPN portal:

You can use the default full-access or tunnel-access profile. Ensure that under Tunnel mode, split tunneling is configured and enabled based on policy destination. You can configure additional settings as needed.

To configure the SSL VPN realm:
  1. Go to System > Feature Visibility.
  2. Enable SSL-VPN Realms.
  3. Click Apply.
  4. Under VPN > SSL-VPN Realms, click Create New.
  5. Enter the URL path pki-ldap-machine.
  6. Click OK to save.
To configure the SSL VPN settings:
  1. Go to System > SSL-VPN Settings.
  2. Input the following values:

    Field

    Value

    Enable SSL-VPN

    Enable

    Listen on Interface(s)

    port3

    Listen on Port

    10443

    Server Certificate

    ztna-wildcard. The Windows certificate authority issues this wildcard server certificate.

    DNS Server

    Specify

    DNS Server #1

    10.88.0.1

  3. Under Authentication/Portal Mapping, click Create New to create a new mapping.
  4. Set Users/Groups to PKI-Machine-Group.
  5. Set Realm to Specify.
  6. Select the /pki-ldap-machine realm.
  7. Set the portal to full-access.
  8. Click OK to save.
  9. Edit the All Other Users/Groups entry:
    1. Set portal to no-access.
    2. Click OK to save.
To configure the firewall policy:
  1. From Policy & Objects > Firewall Policy, click Create New to create a new policy.
  2. Input the following values:

    Field

    Value

    Name

    VPN-Machine

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port2

    Source

    all, PKI-Machine-Group

    Destination

    Create an address object for the web server 10.88.0.3/32 and any other servers that must be accessed.

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    Log Allow Traffic

    Enabled, All Sessions

  3. Configure any other security profiles settings as needed.
  4. Click OK to save.

FortiGate SSL VPN configuration

The SSL VPN configuration is comprised of these parts:

  • SSL VPN portal
  • SSL VPN realm
  • SSL VPN settings
  • Firewall policy
To configure the SSL VPN portal:

You can use the default full-access or tunnel-access profile. Ensure that under Tunnel mode, split tunneling is configured and enabled based on policy destination. You can configure additional settings as needed.

To configure the SSL VPN realm:
  1. Go to System > Feature Visibility.
  2. Enable SSL-VPN Realms.
  3. Click Apply.
  4. Under VPN > SSL-VPN Realms, click Create New.
  5. Enter the URL path pki-ldap-machine.
  6. Click OK to save.
To configure the SSL VPN settings:
  1. Go to System > SSL-VPN Settings.
  2. Input the following values:

    Field

    Value

    Enable SSL-VPN

    Enable

    Listen on Interface(s)

    port3

    Listen on Port

    10443

    Server Certificate

    ztna-wildcard. The Windows certificate authority issues this wildcard server certificate.

    DNS Server

    Specify

    DNS Server #1

    10.88.0.1

  3. Under Authentication/Portal Mapping, click Create New to create a new mapping.
  4. Set Users/Groups to PKI-Machine-Group.
  5. Set Realm to Specify.
  6. Select the /pki-ldap-machine realm.
  7. Set the portal to full-access.
  8. Click OK to save.
  9. Edit the All Other Users/Groups entry:
    1. Set portal to no-access.
    2. Click OK to save.
To configure the firewall policy:
  1. From Policy & Objects > Firewall Policy, click Create New to create a new policy.
  2. Input the following values:

    Field

    Value

    Name

    VPN-Machine

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port2

    Source

    all, PKI-Machine-Group

    Destination

    Create an address object for the web server 10.88.0.3/32 and any other servers that must be accessed.

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    Log Allow Traffic

    Enabled, All Sessions

  3. Configure any other security profiles settings as needed.
  4. Click OK to save.