Fortinet black logo

Cookbook

Configuring the SSL VPN

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:807794
Download PDF

Configuring the SSL VPN

  1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
  2. Toggle Enable Split Tunneling so that it is disabled.

  3. Then go to VPN > SSL-VPN Settings.
  4. Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
  5. Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.
  6. Under Authentication/Portal Mapping, select Create New.
  7. Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

  8. Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
  9. Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).
  10. Set Source to the SSLVPNGroup user group and the all address.
  11. Set Destination Address to all, Schedule to always, Service to ALL, and enable NAT.

Configuring the SSL VPN

  1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
  2. Toggle Enable Split Tunneling so that it is disabled.

  3. Then go to VPN > SSL-VPN Settings.
  4. Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
  5. Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.
  6. Under Authentication/Portal Mapping, select Create New.
  7. Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

  8. Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
  9. Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).
  10. Set Source to the SSLVPNGroup user group and the all address.
  11. Set Destination Address to all, Schedule to always, Service to ALL, and enable NAT.