Fortinet black logo

Cookbook

Configuring the SSL VPN

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:170535
Download PDF

Configuring the SSL VPN

  1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

    Turn off Enable Split Tunneling so that it is disabled.

  2. Go to VPN > SSL-VPN Settings.

    Under Connection Settings, set Listen on Interface(s) to wan1 and Listen on Port to 10443.

    Under Tunnel Mode Client Settings, select Specify custom IP ranges and ensure IP Ranges is set to the default SSLVPN_TUNNEL_IPv6_ADDR1.

    Under Authentication/Portal Mapping, select Create New.

    Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access. This gives all other users access to the web portal only.

  3. Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.

    Set Incoming Interface to the SSL-VPN tunnel interface.

    Set Outgoing Interface to the Internet-facing interface (in this case, wan1).

    Set Source to the SSLVPNGroup user group and the all address.

    Set Destination to all, Schedule to always, Service to ALL.

    Enable NAT.

Configuring the SSL VPN

  1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

    Turn off Enable Split Tunneling so that it is disabled.

  2. Go to VPN > SSL-VPN Settings.

    Under Connection Settings, set Listen on Interface(s) to wan1 and Listen on Port to 10443.

    Under Tunnel Mode Client Settings, select Specify custom IP ranges and ensure IP Ranges is set to the default SSLVPN_TUNNEL_IPv6_ADDR1.

    Under Authentication/Portal Mapping, select Create New.

    Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access. This gives all other users access to the web portal only.

  3. Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.

    Set Incoming Interface to the SSL-VPN tunnel interface.

    Set Outgoing Interface to the Internet-facing interface (in this case, wan1).

    Set Source to the SSLVPNGroup user group and the all address.

    Set Destination to all, Schedule to always, Service to ALL.

    Enable NAT.