Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.0 Administration Guide
7.4.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

SSL VPN custom landing page NEW

SSL VPN custom landing page NEW

An SSL VPN web mode user can log in to the web portal and be redirected to a custom landing page. The custom landing page can be configured in VPN > SSL-VPN Portals by setting the portal Landing page to Custom or by using the command config landing-page.

The landing page can accept SSO credentials as well as SSO from form data. This allows administrators to streamline web application access for their users. The custom redirected portal can also listen for a logout URL so that when users log out from the web application, they are also logged out from the SSL VPN web connection.

Example

In the following example, the SSL VPN web portal settings are configured so that the URL of the custom landing page of FGT_A is set to the FGT_B login page. Therefore, when a web user is logging into FGT_A's SSL VPN web portal, they will automatically be redirected to FGT_B, where the SSO username and password are passed into the username and password input fields. This allows for single sign on of the connecting user into FGT_B through the SSL VPN.

The logout URL of FGT_A is also set to the FGT_B logout information. Therefore, the connecting user can log out of SSL VPN directly when they log out of FGT_B.

To configure a custom landing page from the CLI:

  1. Configure the user and user group:

    config user local
    edit "custom_landing_user" 
        set type password
        set passwd ********
    next 
end
config user group
    edit "ssl-web-group" 
        set member "custom_landing_user"
    next 
end

  2. Configure the SSL VPN web portal:

    config vpn ssl web portal
    edit "custom_landing"
        set web-mode enable
        set landing-page-mode enable
        config landing-page
            set url "https://172.16.200.2/login"
            set logout-url "https://172.16.200.2/logout"
            set sso static
            config form-data
                edit "username"
                    set value "admin"
                next
                edit "secretkey"
                    set value "1"
                next
            end 
            set sso-credential alternative
            set sso-username "admin"
            set sso-password ********
        end
    next
end

  3. Configure the SSL VPN settings:

    config vpn ssl settings
    set servercert "fgt_gui_automation"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 2
            set users "custom_landing_user"
            set portal "custom_landing"
        next
    end
    set encrypt-and-store-password enable
end

  4. Configure the firewall policy:

    config firewall policy
    edit 1
        set name "testpolicy"
        set srcintf "ssl.root"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "ssl-web-group"
        set users "custom_landing_user"
    next
end
To configure a custom landing page from the GUI:

  1. Configure the user and user group:

    1. Go to User & Authentication > User Definition to create the custom_landing_user user.

    2. Go to User & Authentication > User Groups to create the ssl-web-group user group with the member custom_landing_user.

  2. Configure the SSL VPN web portal:

    1. Go to VPN > SSL-VPN Portals.

    2. Click Create New.

    3. Enter custom_landing as the Name.

    4. Enable custom Web Mode features:

      1. Enable Web Mode.

      2. Set Landing Page to Custom.

      3. Enter the FGT_B login page URL.

      4. Enter the FGT_B Logout URL.

      5. Enable SSO Credentials and select SSL-VPN Login.

      6. Enable SSO form data and enter the Form key and Form value.

    5. Click OK.

  3. Configure the SSL VPN settings:

    1. Go to VPN > SSL-VPN Settings.

    2. Set Listen on Interface(s) to port1.

    3. Set Listen on Port to 1443.

    4. Set Server Certificate to fgt_gui_automation.

    5. Create a new Authentication/Portal Mapping for group ssl-web-group mapping the portal custom-landing.

    6. Click Apply.

  4. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Name testpolicy
      Incoming Interface ssl.root
      Outgoing Interface wan1
      Source

      all

      custom_landing_user

      ssl-web-group
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT

    3. Enable NAT.

    4. Enable Log Allowed Traffic and set it to All Sessions.

    5. Click OK.

Once the SSL VPN web portal is configured, the connected user can access FGT_B through the FGT_A SSL VPN web portal.

To access FGT_B through the FGT_A SSL VPN web portal:

  1. Enter your SSO credentials in the SSL VPN login fields.

    The landing page is redirected to the FGT_B GUI automatically.

  2. Select Logout from the user menu.

    The user is logged out of the SSL VPN web mode connection.

Previous
Next

SSL VPN custom landing page NEW

An SSL VPN web mode user can log in to the web portal and be redirected to a custom landing page. The custom landing page can be configured in VPN > SSL-VPN Portals by setting the portal Landing page to Custom or by using the command config landing-page.

The landing page can accept SSO credentials as well as SSO from form data. This allows administrators to streamline web application access for their users. The custom redirected portal can also listen for a logout URL so that when users log out from the web application, they are also logged out from the SSL VPN web connection.

Example

In the following example, the SSL VPN web portal settings are configured so that the URL of the custom landing page of FGT_A is set to the FGT_B login page. Therefore, when a web user is logging into FGT_A's SSL VPN web portal, they will automatically be redirected to FGT_B, where the SSO username and password are passed into the username and password input fields. This allows for single sign on of the connecting user into FGT_B through the SSL VPN.

The logout URL of FGT_A is also set to the FGT_B logout information. Therefore, the connecting user can log out of SSL VPN directly when they log out of FGT_B.

To configure a custom landing page from the CLI:

  1. Configure the user and user group:

    config user local
    edit "custom_landing_user" 
        set type password
        set passwd ********
    next 
end
config user group
    edit "ssl-web-group" 
        set member "custom_landing_user"
    next 
end

  2. Configure the SSL VPN web portal:

    config vpn ssl web portal
    edit "custom_landing"
        set web-mode enable
        set landing-page-mode enable
        config landing-page
            set url "https://172.16.200.2/login"
            set logout-url "https://172.16.200.2/logout"
            set sso static
            config form-data
                edit "username"
                    set value "admin"
                next
                edit "secretkey"
                    set value "1"
                next
            end 
            set sso-credential alternative
            set sso-username "admin"
            set sso-password ********
        end
    next
end

  3. Configure the SSL VPN settings:

    config vpn ssl settings
    set servercert "fgt_gui_automation"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 2
            set users "custom_landing_user"
            set portal "custom_landing"
        next
    end
    set encrypt-and-store-password enable
end

  4. Configure the firewall policy:

    config firewall policy
    edit 1
        set name "testpolicy"
        set srcintf "ssl.root"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "ssl-web-group"
        set users "custom_landing_user"
    next
end
To configure a custom landing page from the GUI:

  1. Configure the user and user group:

    1. Go to User & Authentication > User Definition to create the custom_landing_user user.

    2. Go to User & Authentication > User Groups to create the ssl-web-group user group with the member custom_landing_user.

  2. Configure the SSL VPN web portal:

    1. Go to VPN > SSL-VPN Portals.

    2. Click Create New.

    3. Enter custom_landing as the Name.

    4. Enable custom Web Mode features:

      1. Enable Web Mode.

      2. Set Landing Page to Custom.

      3. Enter the FGT_B login page URL.

      4. Enter the FGT_B Logout URL.

      5. Enable SSO Credentials and select SSL-VPN Login.

      6. Enable SSO form data and enter the Form key and Form value.

    5. Click OK.

  3. Configure the SSL VPN settings:

    1. Go to VPN > SSL-VPN Settings.

    2. Set Listen on Interface(s) to port1.

    3. Set Listen on Port to 1443.

    4. Set Server Certificate to fgt_gui_automation.

    5. Create a new Authentication/Portal Mapping for group ssl-web-group mapping the portal custom-landing.

    6. Click Apply.

  4. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Name testpolicy
      Incoming Interface ssl.root
      Outgoing Interface wan1
      Source

      all

      custom_landing_user

      ssl-web-group
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT

    3. Enable NAT.

    4. Enable Log Allowed Traffic and set it to All Sessions.

    5. Click OK.

Once the SSL VPN web portal is configured, the connected user can access FGT_B through the FGT_A SSL VPN web portal.

To access FGT_B through the FGT_A SSL VPN web portal:

  1. Enter your SSO credentials in the SSL VPN login fields.

    The landing page is redirected to the FGT_B GUI automatically.

  2. Select Logout from the user menu.

    The user is logged out of the SSL VPN web mode connection.

Previous
Next