Fortinet black logo

Handbook

Multiple user groups with different access permissions

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:527388
Download PDF

Multiple user groups with different access permissions

You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit.

In this example configuration, there are two users:

  • User1 can access the servers on Subnet_1.
  • User2 can access the workstation PCs on Subnet_2.

You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

General configuration steps

  1. Create firewall addresses for:
    • The destination networks.
    • Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
  2. Create two web portals.
  3. Create two user accounts, User1 and User2.
  4. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
  5. Create security policies:
    • Two SSL VPN security policies, one to each destination.
    • Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
  6. Create the static route to direct packets for the users to the tunnel.

Creating the firewall addresses

Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.

Creating the destination addresses

SSL VPN users in this example can access either Subnet_1 or Subnet_2.

To define destination addresses - GUI:
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:

    Name

    Subnet_1

    Type

    Subnet

    Subnet/IP Range

    10.11.101.0/24

    Interface

    port2

  3. Select Create New, enter the following information, and select OK:

    Name

    Subnet_2

    Type

    Subnet

    Subnet/IP Range

    10.11.201.0/24

    Interface

    port3

Creating the tunnel client range addresses

To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.

To define tunnel client addresses - GUI:
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:

    Name

    Tunnel_group1

    Type

    IP Range

    Subnet/IP Range

    10.11.254.1-10.11.254.50

    Interface

    Any

  3. Select Create New, enter the following information, and select OK.

    Name

    Tunnel_group2

    Type

    IP Range

    Subnet/IP Range

    10.11.254.51-10.11.254.100

    Interface

    Any

Creating the web portals

To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.

To create the portal1 web portal:
  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal1 in the Name field.
  3. In Source IP Pools, select Tunnel_ group1.
  4. Select OK.
To create the portal2 web portal:
  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal2 in the Name field and select OK.
  3. In IP Pools, select Tunnel_ group2
  4. Select OK.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.

Creating the user accounts and user groups

After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.

Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.

To create the user groups - GUI:
  1. Go to User & Device > User Groups.
  2. Select Create New and enter the following information:

    Name

    Group1

    Type

    Firewall

  3. From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
  4. Select OK.
  5. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.

Creating the security policies

You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses.

Two types of security policy are required:

  • An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
  • A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.
To create the SSL VPN security policies - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and click OK:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    All

    Source User(s)

    Group1

    Outgoing Interface

    port2

    Destination Address

    Subnet_1

    Service

    All

  3. Select Create New.
  4. Enter the following information:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    All

    Source User(s)

    Group2

    Outgoing Interface

    port3

    Destination Address

    Subnet_2

    Service

    All

  5. Click OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the first remote group:

    Users/Groups

    Group1

    Portal

    Portal1

  3. Select OK and Apply.
  4. Select Create New and add an authentication rule for the second remote group:

    Users/Groups

    Group2

    Portal

    Portal2

  5. Select OK and Apply.
To create the tunnel-mode security policies - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    Tunnel_group1

    Source User(s)

    Group1

    Outgoing Interface

    port2

    Destination Address

    Subnet_1

    Service

    All

    Action

    ACCEPT

    Enable NAT

    Enable

  3. Select Create New.
  4. Enter the following information, and select OK:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    Tunnel_group2

    Source User(s)

    Group2

    Outgoing Interface

    port3

    Destination Address

    Subnet_2

    Service

    All

    Action

    ACCEPT

    Enable NAT

    Enable

Creating the static route to tunnel mode clients

Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.

To add a route to SSL VPN tunnel mode clients - GUI:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.

    Destination IP/Mask

    10.11.254.0/24

    This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses.

    Device

    Select the SSL VPN virtual interface, ssl.root for example.

  3. note icon

    In this example, the IP Pools field on the VPN > SSL-VPN Settings page is not used because each web portal specifies its own tunnel IP address range.

Client device certificate authentication with multiple groups

In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.

This can only be performed in the CLI console.

note icon

The Authentication-rule option is only available in the CLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.
Configuring SSL VPN shared settings and authentication rules - CLI:

The following example assumes that remote LDAP users/groups have been pre-configured.

config vpn ssl settings

set servercert "Fortinet_Factory"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set port 443

set source-interface "wan1"

set source-address "all"

set default-portal "full-access"

config authentication-rule

edit 1

set source-interface "wan1

set source-address "all"

set groups "Employees"

set portal "full-access"

set client-cert enable

next

edit 2

set source-interface "wan1"

set source-address "all"

set groups "Vendors"

set portal "full-access"

set client-cert disable <-- Set by default and will not be displayed.

next

end

end

Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).

If configured correctly, only the 'Employees' group should require a client certificate to authenticate to the VPN.

Multiple user groups with different access permissions

You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit.

In this example configuration, there are two users:

  • User1 can access the servers on Subnet_1.
  • User2 can access the workstation PCs on Subnet_2.

You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

General configuration steps

  1. Create firewall addresses for:
    • The destination networks.
    • Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
  2. Create two web portals.
  3. Create two user accounts, User1 and User2.
  4. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
  5. Create security policies:
    • Two SSL VPN security policies, one to each destination.
    • Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
  6. Create the static route to direct packets for the users to the tunnel.

Creating the firewall addresses

Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.

Creating the destination addresses

SSL VPN users in this example can access either Subnet_1 or Subnet_2.

To define destination addresses - GUI:
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:

    Name

    Subnet_1

    Type

    Subnet

    Subnet/IP Range

    10.11.101.0/24

    Interface

    port2

  3. Select Create New, enter the following information, and select OK:

    Name

    Subnet_2

    Type

    Subnet

    Subnet/IP Range

    10.11.201.0/24

    Interface

    port3

Creating the tunnel client range addresses

To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.

To define tunnel client addresses - GUI:
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:

    Name

    Tunnel_group1

    Type

    IP Range

    Subnet/IP Range

    10.11.254.1-10.11.254.50

    Interface

    Any

  3. Select Create New, enter the following information, and select OK.

    Name

    Tunnel_group2

    Type

    IP Range

    Subnet/IP Range

    10.11.254.51-10.11.254.100

    Interface

    Any

Creating the web portals

To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.

To create the portal1 web portal:
  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal1 in the Name field.
  3. In Source IP Pools, select Tunnel_ group1.
  4. Select OK.
To create the portal2 web portal:
  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal2 in the Name field and select OK.
  3. In IP Pools, select Tunnel_ group2
  4. Select OK.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.

Creating the user accounts and user groups

After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.

Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.

To create the user groups - GUI:
  1. Go to User & Device > User Groups.
  2. Select Create New and enter the following information:

    Name

    Group1

    Type

    Firewall

  3. From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
  4. Select OK.
  5. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.

Creating the security policies

You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses.

Two types of security policy are required:

  • An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
  • A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.
To create the SSL VPN security policies - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and click OK:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    All

    Source User(s)

    Group1

    Outgoing Interface

    port2

    Destination Address

    Subnet_1

    Service

    All

  3. Select Create New.
  4. Enter the following information:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    All

    Source User(s)

    Group2

    Outgoing Interface

    port3

    Destination Address

    Subnet_2

    Service

    All

  5. Click OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the first remote group:

    Users/Groups

    Group1

    Portal

    Portal1

  3. Select OK and Apply.
  4. Select Create New and add an authentication rule for the second remote group:

    Users/Groups

    Group2

    Portal

    Portal2

  5. Select OK and Apply.
To create the tunnel-mode security policies - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    Tunnel_group1

    Source User(s)

    Group1

    Outgoing Interface

    port2

    Destination Address

    Subnet_1

    Service

    All

    Action

    ACCEPT

    Enable NAT

    Enable

  3. Select Create New.
  4. Enter the following information, and select OK:

    Incoming Interface

    ssl.root (sslvpn tunnel interface)

    Source Address

    Tunnel_group2

    Source User(s)

    Group2

    Outgoing Interface

    port3

    Destination Address

    Subnet_2

    Service

    All

    Action

    ACCEPT

    Enable NAT

    Enable

Creating the static route to tunnel mode clients

Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.

To add a route to SSL VPN tunnel mode clients - GUI:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.

    Destination IP/Mask

    10.11.254.0/24

    This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses.

    Device

    Select the SSL VPN virtual interface, ssl.root for example.

  3. note icon

    In this example, the IP Pools field on the VPN > SSL-VPN Settings page is not used because each web portal specifies its own tunnel IP address range.

Client device certificate authentication with multiple groups

In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.

This can only be performed in the CLI console.

note icon

The Authentication-rule option is only available in the CLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.
Configuring SSL VPN shared settings and authentication rules - CLI:

The following example assumes that remote LDAP users/groups have been pre-configured.

config vpn ssl settings

set servercert "Fortinet_Factory"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set port 443

set source-interface "wan1"

set source-address "all"

set default-portal "full-access"

config authentication-rule

edit 1

set source-interface "wan1

set source-address "all"

set groups "Employees"

set portal "full-access"

set client-cert enable

next

edit 2

set source-interface "wan1"

set source-address "all"

set groups "Vendors"

set portal "full-access"

set client-cert disable <-- Set by default and will not be displayed.

next

end

end

Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).

If configured correctly, only the 'Employees' group should require a client certificate to authenticate to the VPN.