Configuring the SSL VPN
Configuring the SSL VPN
- On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
- Toggle Enable Split Tunneling so that it is disabled.
- Then go to VPN > SSL-VPN Settings.
- Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
- Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.
- Under Authentication/Portal Mapping, select Create New.
- Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.
- Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
- Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).
- Set Source to the SSLVPNGroup user group and the all address.
- Set Destination Address to all, Schedule to always, Service to ALL, and enable NAT.
Configuring the SSL VPN
- On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
- Toggle Enable Split Tunneling so that it is disabled.
- Then go to VPN > SSL-VPN Settings.
- Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
- Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.
- Under Authentication/Portal Mapping, select Create New.
- Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.
- Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
- Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).
- Set Source to the SSLVPNGroup user group and the all address.
- Set Destination Address to all, Schedule to always, Service to ALL, and enable NAT.