Web portal configurations
An SSL VPN web portal enables users to access network resources through a secure channel using a web browser. System administrators can configure log in privileges for users and which network resources are available to these users. The portal configuration determines what the user sees when they log in to the portal. Both system administrators and the users have the ability to customize the SSL VPN portal.
There are three predefined default web portal configurations available:
- full-access: connecting clients can either access protected resources through the SSL VPN web portal, or use FortiClient to connect through tunnel mode.
- tunnel-access: connecting clients can only access protected resources with FortiClient connecting through tunnel mode.
- web-access: connecting clients can only access protected resources through the SSL VPN web portal.
Custom web portals can also be configured.
To configure a custom web portal:
-
Go to VPN > SSL-VPN Portals and click Create New.
-
Configure the following settings as needed:
GUI option
Description
Name
Enter the portal name.
Limit Users to One SSL-VPN Connection at a Time
This option is disabled by default. When enabled, once a user logs in to the portal, they cannot go to another system and log in with the same credentials again.
Tunnel Mode
Split tunneling
There are three options:
- Disabled: all client traffic will be directed over the SSL VPN tunnel.
- Enabled Based on Policy Destination: only client traffic where the destination matches the destination of the configured firewall policies will be directed over the SSL VPN tunnel.
- Enabled for Trusted Destinations: only client traffic that does not match explicitly trusted destinations will be directed over the SSL VPN tunnel.
Routing Address Override
When Split tunneling is set to Enabled Based on Policy Destination, the IPv4 firewall address selected overrides the firewall policy destination addresses to control split tunnel access.
When Split tunneling is set to Enabled for Trusted Destinations, the IPv4 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.
Source IP Pools
Select an IP pool for users to acquire an IP address when connecting to the portal.
IPv6 Tunnel Mode
When enabled, these settings determine how tunnel mode clients are assigned IPv6 addresses.
IPv6 split tunneling
The same three options are available as in Tunnel Mode.
IPv6 Routing Address Override
When Split tunneling is set to Enabled Based on Policy Destination, the IPv6 firewall address selected overrides the firewall policy destination addresses to control split tunnel access.
When Split tunneling is set to Enabled for Trusted Destinations, the IPv6 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.
Source IPv6 Pools
Select an IP pool for users to acquire an IP address when connecting to the portal.
Tunnel Mode Client Options
The following options affect how FortiClient behaves when connected to the VPN tunnel.
Allow client to save password
When enabled and if the user selects this option, their password is stored on the their computer and will automatically populate each time they connect to the VPN.
Allow client to connect automatically
When enabled and if the user selects this option, when FortiClient launches (such as after a reboot or system start up), FortiClient will automatically attempt to connect to the VPN.
Allow client to keep connections alive
When enabled and if the user selects this option, FortiClient will try to reconnect once it detects that the VPN connection is unexpectedly down (not manually disconnected by the user).
DNS Split Tunneling
When enabled, the Split DNS table is visible, where new DNS entries can be created. See SSL VPN split DNS for more details.
Host Check
When enabled, the type of host checking performed on endpoints can be configured (see Configuring OS and host check).
Type
There are three options:
- Realtime AntiVirus: check for antivirus software recognized by the Windows Security Center.
- Firewall: check for firewall software recognized by the Windows Security Center.
- Enable both: check for antivirus and firewall software recognized by the Windows Security Center.
Restrict to Specific OS Versions
When enabled, access to certain operating systems can be denied or forced to check for an update. By default, all operating systems in the table are allowed (see Configuring OS and host check).
Web Mode
Enable this option to configure the web portal settings.
Portal Message
Enter a message that appears at the top of the web portal screen (default = SSL-VPN Portal).
Theme
Select a color theme from the dropdown.
Show Session Information
Enable to display session information in the top banner of the web portal (username, amount of time logged in, and traffic statistics).
Show Connection Launcher
Enable to display the Quick Connection button.
Show Login History
Enable to display the user's login history (History).
User Bookmarks
Enable to allow users to add their own bookmarks (New Bookmark).
Rewrite Content IP/UI/
Enable contents rewrite for URIs containing
IP-address/ui/
.RDP/VNC clipboard
Enable to support RDP/VPC clipboard functionality.
Predefined Bookmarks
Use the table to create and edit predefined bookmarks. See To create a predefined administrator bookmark in FortiOS: for more details.
FortiClient Download
Enable this option to display the Download FortiClient button.
Download Method
Select either Direct or SSL-VPN Proxy as the method to download FortiClient.
Customize Download Location
Enable to configure a custom download location for Windows or Mac.
-
Click OK.