SSL VPN web mode for remote user
This is a sample configuration of remote users accessing the corporate network through an SSL VPN by web mode using a web browser.
Sample topology
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.
For FortiOS 7.0.1 and above, SSL VPN web mode and explicit web proxy features will not work with the following configuration:
Configuring an IP pool as the source NAT IP address in a regular firewall policy works as before. See IP pools and blackhole route configuration for details. |
To configure SSL VPN using the GUI:
- Configure the interface and firewall address. The port1 interface connects to the internal network.
- Go to Network > Interfaces and edit the wan1 interface.
- Set IP/Network Mask to 172.20.120.123/255.255.255.0.
- Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
- Click OK.
- Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.
- Configure user and user group.
- Go to User & Authentication > User Definition to create a local user sslvpnuser1.
- Go to User & Authentication > User Groups to create a group sslvpngroup with the member sslvpnuser1.
- Configure SSL VPN web portal.
- Go to VPN > SSL-VPN Portals to create a web mode only portal my-web-portal.
- Set Predefined Bookmarks for Windows server to type RDP.
- Configure SSL VPN settings.
- Go to VPN > SSL-VPN Settings.
- For Listen on Interface(s), select wan1.
- Set Listen on Port to 10443.
- Choose a certificate for Server Certificate.
It is HIGHLY recommended that you acquire a signed certificate for your installation. Please review the SSL VPN best practices and learn how to Procuring and importing a signed SSL certificate.
- In Authentication/Portal Mapping All Other Users/Groups, set the Portal to web-access.
- Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-Web-portal.
- Configure SSL VPN firewall policy.
- Go to Policy & Objects > Firewall Policy.
- Fill in the firewall policy name. In this example, sslvpn web mode access.
- Incoming interface must be SSL-VPN tunnel interface(ssl.root).
- Choose an Outgoing Interface. In this example, port1.
- Set the Source to all and group to sslvpngroup.
- In this example, the Destination is the internal protected subnet 192.168.1.0.
- Set Schedule to always, Service to ALL, and Action to Accept.
- Click OK.
To configure SSL VPN using the CLI:
- Configure the interface and firewall address.
config system interface edit "wan1" set vdom "root" set ip 172.20.120.123 255.255.255.0 next end
- Configure the internal interface and protected subnet, then connect the port1 interface to the internal network.
config system interface edit "port1" set vdom "root" set ip 192.168.1.99 255.255.255.0 next end
config firewall address edit "192.168.1.0" set subnet 192.168.1.0 255.255.255.0 next end
- Configure user and user group.
config user local edit "sslvpnuser1" set type password set passwd your-password next end
config user group edit "sslvpngroup" set member "vpnuser1" next end
- Configure SSL VPN web portal and predefine RDP bookmark for windows server.
config vpn ssl web portal edit "my-web-portal" set web-mode enable config bookmark-group edit "gui-bookmarks" config bookmarks edit "Windows Server" set apptype rdp set host "192.168.1.114" set port 3389 set logon-user "your-windows-server-user-name" set logon-password your-windows-server-password next end next end next end
- Configure SSL VPN settings.
config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "full-access" config authentication-rule edit 1 set groups "sslvpngroup" set portal "my-web-portal" next end end
- Configure one SSL VPN firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client
config firewall policy edit 1 set name "sslvpn web mode access" set srcintf "ssl.root" set dstintf "port1" set srcaddr "all" set dstaddr "192.168.1.0" set groups “sslvpngroup” set action accept set schedule "always" set service "ALL" next end
To see the results:
- In a web browser, log into the portal https://172.20.120.123:10443 using the credentials you've set up.
- In the portal with the predefined bookmark, select the bookmark to begin an RDP session. If there are no predefined bookmarks, the Quick Connection tool can be used; see Quick Connection tool for more information.
- Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
- Go to Log & Report > Forward Traffic to view the details for the SSL entry.