Fortinet black logo

Handbook

Portal configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:395616
Download PDF

Portal configuration

The SSL VPN web portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.

The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user - Session Information, Tunnel Mode options, Connection Launcher, Remote Desktop, and Predefined Bookmarks.
  • tunnel-access: Includes Session Information and Tunnel Mode options.
  • web-access: Includes Session Information and Predefined Bookmarks widgets.

You can also create your own web portal to meet your corporate requirements.

Portal page

Create New

Creates a new web portal.

Edit

Select a portal from the list to enable the Edit option, and modify the portal configuration.

Delete

Removes a portal configuration.

To remove multiple portals from the list, select the check box beside the portal names, then select Delete.

Name

The name of the web portal.

Ref.

Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies.

To view the location of the referenced object, select the number in Ref. column.

To view more information about how the object is used, select one of:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with.

View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.

Portal settings

A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL-VPN Portals.

The following settings are available, allow you to configure general and security console options for your web portal.

Portal Setting

Description

Name

The name for the portal.

Limit Users to One SSL-VPN Connection at a Time

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.

Tunnel Mode

These settings determine how tunnel mode clients are assigned IPv4 addresses.

Enable Split Tunneling

Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools

Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.

Tunnel Mode Client Options

These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

  • Allow client to save password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.
  • Allow client to connect automatically - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.
  • Allow client to keep connections alive - When enabled, if the user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode

Select to enable web mode access.

Portal Message

This is a text header that appears on the top of the web portal.

Theme

Select a color styling specifically for the web portal.

Show Session Information

The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.

Show Connection Launcher

Displays the Connection Launcher widget in the web portal.

Show Login History

Select to include user login history on the web portal.

User Bookmarks

Enable to allow users to add their own bookmarks in the web portal.

Predefined Bookmarks

Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.

Predefined Bookmarks

Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, RDP, and VNC pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform

Model

FortiGate

80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C

FortiGate-Rugged

90D

FortiWiFi

92D

A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

Applications available in the web portal

Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Predefined Bookmarks, as well as the Quick Connection widget:

  • Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
  • FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.
  • HTTP/HTTPS accesses web pages.
  • Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server.
  • RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
  • SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
  • SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
  • TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
  • VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.

Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.

note icon

Windows file sharing through SMB/CIFS is supported through shared directories.

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks - CLI:

config vpn ssl web portal

edit "portal-name"

set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark

edit "group-name"

config bookmark

edit "bookmark1"

....

next

end

next

end

Downloading files from an SMB server in Web Mode

When logging into the SSL VPN in Web Mode, the client can connect to their file server via SMB and download multiple files at the same time. The client can select/deselect individual files for download, opt to download all, or select all checkboxes for download.

Split DNS support for SSL VPN portals

Split DNS for SSL VPN portals allows you to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally. This feature is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals).

FortiClient receives this information when the client connects in tunnel mode. FortiClient will push the DNS servers specified to the clients computer and all DNS requests will first attempt use this DNS server. The FortiClient network driver will intercept DNS requests; if they match the split-dns listed, the DNS request will go across the tunnel and be resolved by the specified DNS servers.

If the domain does not match split-dns then the FortiClient network driver will respond to the DNS request with "no such name" forcing the DNS request to be resolved by the physical adapter DNS.

To configure split DNS support for SSLVPN portals - CLI:

config vpn ssl web portal

edit <name>

config split-dns

edit <name>

set domains "abc.com, cde.com"

set dns-server1 192.168.1.1

set dns-server2 192.168.1.2

set ipv6-dns-server1 xxxxxxxxxxxx

set ipv6-dns-server2 xxxxxxxxxxxx

next

...

end

end

Portal configuration

The SSL VPN web portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.

The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user - Session Information, Tunnel Mode options, Connection Launcher, Remote Desktop, and Predefined Bookmarks.
  • tunnel-access: Includes Session Information and Tunnel Mode options.
  • web-access: Includes Session Information and Predefined Bookmarks widgets.

You can also create your own web portal to meet your corporate requirements.

Portal page

Create New

Creates a new web portal.

Edit

Select a portal from the list to enable the Edit option, and modify the portal configuration.

Delete

Removes a portal configuration.

To remove multiple portals from the list, select the check box beside the portal names, then select Delete.

Name

The name of the web portal.

Ref.

Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies.

To view the location of the referenced object, select the number in Ref. column.

To view more information about how the object is used, select one of:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with.

View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.

Portal settings

A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL-VPN Portals.

The following settings are available, allow you to configure general and security console options for your web portal.

Portal Setting

Description

Name

The name for the portal.

Limit Users to One SSL-VPN Connection at a Time

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.

Tunnel Mode

These settings determine how tunnel mode clients are assigned IPv4 addresses.

Enable Split Tunneling

Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools

Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.

Tunnel Mode Client Options

These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

  • Allow client to save password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.
  • Allow client to connect automatically - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.
  • Allow client to keep connections alive - When enabled, if the user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode

Select to enable web mode access.

Portal Message

This is a text header that appears on the top of the web portal.

Theme

Select a color styling specifically for the web portal.

Show Session Information

The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.

Show Connection Launcher

Displays the Connection Launcher widget in the web portal.

Show Login History

Select to include user login history on the web portal.

User Bookmarks

Enable to allow users to add their own bookmarks in the web portal.

Predefined Bookmarks

Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.

Predefined Bookmarks

Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, RDP, and VNC pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform

Model

FortiGate

80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C

FortiGate-Rugged

90D

FortiWiFi

92D

A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

Applications available in the web portal

Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Predefined Bookmarks, as well as the Quick Connection widget:

  • Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
  • FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.
  • HTTP/HTTPS accesses web pages.
  • Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server.
  • RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
  • SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
  • SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
  • TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
  • VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.

Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.

note icon

Windows file sharing through SMB/CIFS is supported through shared directories.

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks - CLI:

config vpn ssl web portal

edit "portal-name"

set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark

edit "group-name"

config bookmark

edit "bookmark1"

....

next

end

next

end

Downloading files from an SMB server in Web Mode

When logging into the SSL VPN in Web Mode, the client can connect to their file server via SMB and download multiple files at the same time. The client can select/deselect individual files for download, opt to download all, or select all checkboxes for download.

Split DNS support for SSL VPN portals

Split DNS for SSL VPN portals allows you to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally. This feature is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals).

FortiClient receives this information when the client connects in tunnel mode. FortiClient will push the DNS servers specified to the clients computer and all DNS requests will first attempt use this DNS server. The FortiClient network driver will intercept DNS requests; if they match the split-dns listed, the DNS request will go across the tunnel and be resolved by the specified DNS servers.

If the domain does not match split-dns then the FortiClient network driver will respond to the DNS request with "no such name" forcing the DNS request to be resolved by the physical adapter DNS.

To configure split DNS support for SSLVPN portals - CLI:

config vpn ssl web portal

edit <name>

config split-dns

edit <name>

set domains "abc.com, cde.com"

set dns-server1 192.168.1.1

set dns-server2 192.168.1.2

set ipv6-dns-server1 xxxxxxxxxxxx

set ipv6-dns-server2 xxxxxxxxxxxx

next

...

end

end