Fortinet black logo

Administration Guide

Disable the clipboard in SSL VPN web mode RDP connections

Disable the clipboard in SSL VPN web mode RDP connections

In web portal profiles, the clipboard can be disabled for SSL VPN web mode RDP/VNC connections. User will not be able to copy and paste content to or from the internal server.

Example

In this example, two groups of users are using SSL VPN web mode to access internal servers with RDP/VNC. One group is allowed to copy and paste content to and from the internal server using the clipboard, while the other is not.

To configure the SSL VPN portals in the GUI:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Enter a name for the portal, such as testportal1.

  3. Enable Enable Web Mode and enable RDP/VNC clipboard to allow copying and pasting.

  4. Configure the remaining settings as needed.

  5. Click OK.

  6. Click Create New again.

  7. Enter a name for the portal, such as testportal2.

  8. Enable Enable Web Mode and disable RDP/VNC clipboard to prevent copying and pasting.

  9. Configure the remaining settings as needed.

  10. Click OK.

To configure the SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Listen on Interface to port2.

  3. In the Authentication/Portal Mapping table, add the users to each of the portals:

    1. Click Create New.

    2. Set Users/Groups to u1 and Portal to testportal1.

    3. Click OK, then click Create New again.

    4. Set Users/Groups to u2 and Portal to testportal2.

    5. Click OK.

  4. Configure the remaining settings as needed.

  5. Click Apply.

To configure a firewall policy for SSL VPN in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set a name for the policy, such as policy_to_sslvpn_tunnel.

  3. Set Incoming Interface to the SSL VPN tunnel interface and Outgoing Interface to port1.

  4. Set Source to the users, u1 and u2, and all addresses.

  5. Set Destination to all addresses.

  6. Set Schedule to always, Service to All, and Action to Accept.

  7. Configure the remaining settings as needed.

  8. Click OK.

To test the if the users can use the clipboard:
  1. On the PC, open a web browser and log in to the web portal as user u1.

  2. Access the internal server using RDP/VNC.

  3. The clipboard is available and you can copy and paste content to and from the remote server.

  4. Log out of the web portal, then log back in as user u2 and access the internal server using RDP/VNC.

    The clipboard is disabled.

To configure the SSL-VPN portals and settings in the CLI:
  1. Configure the SSL VPN portals:

    config vpn ssl web portal
        edit "testportal1"
            set web-mode enable
            set clipboard enable
            ...
        next
        edit "testportal2"
            set web-mode enable
            set clipboard disable
            ...
        next
    end
  2. Configure the SSL VPN settings:

    config vpn ssl settings
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "tunnel-access"
        config authentication-rule
            edit 1
                set users "u1"
                set portal "testportal1"
            next
            edit 2
                set users "u2"
                set portal "testportal2"
            next
        end
    end
  3. Configure a firewall policy for SSL VPN:

    config firewall policy
        edit 1
            set name "policy_to_sslvpn_tunnel"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set users "u1" "u2"
        next
    end
  4. On the PC, open a web browser, log in to the web portal as user u1, access the internal server using RDP/VNC, and use the clipboard.

  5. Check the SSL VPN session monitor:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.146   0/0     0/364   0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.146     64      0/700  RDP 172.18.58.109
  6. On the PC, open a web browser, log in to the web portal as user u2, access the internal server using RDP/VNC, and note that the clipboard is not available.

  7. Check the SSL VPN session monitor:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u2             1(1)             N/A     10.1.100.146   0/0     0/2681  0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u2             10.1.100.146     7       0/553  RDP 172.18.58.109

Disable the clipboard in SSL VPN web mode RDP connections

In web portal profiles, the clipboard can be disabled for SSL VPN web mode RDP/VNC connections. User will not be able to copy and paste content to or from the internal server.

Example

In this example, two groups of users are using SSL VPN web mode to access internal servers with RDP/VNC. One group is allowed to copy and paste content to and from the internal server using the clipboard, while the other is not.

To configure the SSL VPN portals in the GUI:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Enter a name for the portal, such as testportal1.

  3. Enable Enable Web Mode and enable RDP/VNC clipboard to allow copying and pasting.

  4. Configure the remaining settings as needed.

  5. Click OK.

  6. Click Create New again.

  7. Enter a name for the portal, such as testportal2.

  8. Enable Enable Web Mode and disable RDP/VNC clipboard to prevent copying and pasting.

  9. Configure the remaining settings as needed.

  10. Click OK.

To configure the SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Listen on Interface to port2.

  3. In the Authentication/Portal Mapping table, add the users to each of the portals:

    1. Click Create New.

    2. Set Users/Groups to u1 and Portal to testportal1.

    3. Click OK, then click Create New again.

    4. Set Users/Groups to u2 and Portal to testportal2.

    5. Click OK.

  4. Configure the remaining settings as needed.

  5. Click Apply.

To configure a firewall policy for SSL VPN in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set a name for the policy, such as policy_to_sslvpn_tunnel.

  3. Set Incoming Interface to the SSL VPN tunnel interface and Outgoing Interface to port1.

  4. Set Source to the users, u1 and u2, and all addresses.

  5. Set Destination to all addresses.

  6. Set Schedule to always, Service to All, and Action to Accept.

  7. Configure the remaining settings as needed.

  8. Click OK.

To test the if the users can use the clipboard:
  1. On the PC, open a web browser and log in to the web portal as user u1.

  2. Access the internal server using RDP/VNC.

  3. The clipboard is available and you can copy and paste content to and from the remote server.

  4. Log out of the web portal, then log back in as user u2 and access the internal server using RDP/VNC.

    The clipboard is disabled.

To configure the SSL-VPN portals and settings in the CLI:
  1. Configure the SSL VPN portals:

    config vpn ssl web portal
        edit "testportal1"
            set web-mode enable
            set clipboard enable
            ...
        next
        edit "testportal2"
            set web-mode enable
            set clipboard disable
            ...
        next
    end
  2. Configure the SSL VPN settings:

    config vpn ssl settings
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "tunnel-access"
        config authentication-rule
            edit 1
                set users "u1"
                set portal "testportal1"
            next
            edit 2
                set users "u2"
                set portal "testportal2"
            next
        end
    end
  3. Configure a firewall policy for SSL VPN:

    config firewall policy
        edit 1
            set name "policy_to_sslvpn_tunnel"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set users "u1" "u2"
        next
    end
  4. On the PC, open a web browser, log in to the web portal as user u1, access the internal server using RDP/VNC, and use the clipboard.

  5. Check the SSL VPN session monitor:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.146   0/0     0/364   0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.146     64      0/700  RDP 172.18.58.109
  6. On the PC, open a web browser, log in to the web portal as user u2, access the internal server using RDP/VNC, and note that the clipboard is not available.

  7. Check the SSL VPN session monitor:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u2             1(1)             N/A     10.1.100.146   0/0     0/2681  0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u2             10.1.100.146     7       0/553  RDP 172.18.58.109