Fortinet white logo
Fortinet white logo

Administration Guide

Web portal configurations

Web portal configurations

An SSL VPN web portal enables users to access network resources through a secure channel using a web browser. System administrators can configure log in privileges for users and which network resources are available to these users. The portal configuration determines what the user sees when they log in to the portal. Both system administrators and the users have the ability to customize the SSL VPN portal.

There are three predefined default web portal configurations available:

  • full-access: connecting clients can either access protected resources through the SSL VPN web portal, or use FortiClient to connect through tunnel mode.
  • tunnel-access: connecting clients can only access protected resources with FortiClient connecting through tunnel mode.
  • web-access: connecting clients can only access protected resources through the SSL VPN web portal.

Custom web portals can also be configured.

To configure a custom web portal:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Configure the following settings as needed:

    GUI option

    Description

    Name

    Enter the portal name.

    Limit Users to One SSL-VPN Connection at a Time

    This option is disabled by default. When enabled, once a user logs in to the portal, they cannot go to another system and log in with the same credentials again.

    Tunnel Mode

    Split tunneling

    There are three options:

    • Disabled: all client traffic will be directed over the SSL VPN tunnel.
    • Enabled Based on Policy Destination: only client traffic where the destination matches the destination of the configured firewall policies will be directed over the SSL VPN tunnel.
    • Enabled for Trusted Destinations: only client traffic that does not match explicitly trusted destinations will be directed over the SSL VPN tunnel.

    Routing Address Override

    When Split tunneling is set to Enabled Based on Policy Destination, the IPv4 firewall address selected overrides the firewall policy destination addresses to control split tunnel access.

    When Split tunneling is set to Enabled for Trusted Destinations, the IPv4 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.

    Source IP Pools

    Select an IP pool for users to acquire an IP address when connecting to the portal.

    IPv6 Tunnel Mode

    When enabled, these settings determine how tunnel mode clients are assigned IPv6 addresses.

    IPv6 split tunneling

    The same three options are available as in Tunnel Mode.

    IPv6 Routing Address Override

    When Split tunneling is set to Enabled Based on Policy Destination, the IPv6 firewall address selected overrides the firewall policy destination addresses to control split tunnel access.

    When Split tunneling is set to Enabled for Trusted Destinations, the IPv6 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.

    Source IPv6 Pools

    Select an IP pool for users to acquire an IP address when connecting to the portal.

    Tunnel Mode Client Options

    The following options affect how FortiClient behaves when connected to the VPN tunnel.

    Allow client to save password

    When enabled and if the user selects this option, their password is stored on the their computer and will automatically populate each time they connect to the VPN.

    Allow client to connect automatically

    When enabled and if the user selects this option, when FortiClient launches (such as after a reboot or system start up), FortiClient will automatically attempt to connect to the VPN.

    Allow client to keep connections alive

    When enabled and if the user selects this option, FortiClient will try to reconnect once it detects that the VPN connection is unexpectedly down (not manually disconnected by the user).

    DNS Split Tunneling

    When enabled, the Split DNS table is visible, where new DNS entries can be created. See SSL VPN split DNS for more details.

    Host Check

    When enabled, the type of host checking performed on endpoints can be configured (see Configuring OS and host check).

    Type

    There are three options:

    • Realtime AntiVirus: check for antivirus software recognized by the Windows Security Center.
    • Firewall: check for firewall software recognized by the Windows Security Center.
    • Enable both: check for antivirus and firewall software recognized by the Windows Security Center.

    Restrict to Specific OS Versions

    When enabled, access to certain operating systems can be denied or forced to check for an update. By default, all operating systems in the table are allowed (see Configuring OS and host check).

    Web Mode

    Enable this option to configure the web portal settings.

    Portal Message

    Enter a message that appears at the top of the web portal screen (default = SSL-VPN Portal).

    Theme

    Select a color theme from the dropdown.

    Show Session Information

    Enable to display session information in the top banner of the web portal (username, amount of time logged in, and traffic statistics).

    Show Connection Launcher

    Enable to display the Quick Connection button.

    Show Login History

    Enable to display the user's login history (History).

    User Bookmarks

    Enable to allow users to add their own bookmarks (New Bookmark).

    Rewrite Content IP/UI/

    Enable contents rewrite for URIs containing IP-address/ui/.

    RDP/VNC clipboard

    Enable to support RDP/VPC clipboard functionality.

    Predefined Bookmarks

    Use the table to create and edit predefined bookmarks. See To create a predefined administrator bookmark in FortiOS: for more details.

    FortiClient Download

    Enable this option to display the Download FortiClient button.

    Download Method

    Select either Direct or SSL-VPN Proxy as the method to download FortiClient.

    Customize Download Location

    Enable to configure a custom download location for Windows or Mac.

  3. Click OK.

Tooltip

By default, the browser's language preference is automatically detected and used by the SSL VPN portal login page. The system language can still be used by changing the settings on the SSL-VPN Settings page of the GUI, or disabling browser-language detection in the CLI. See Showing the SSL VPN portal login page in the browser's language for more details.

Web portal configurations

Web portal configurations

An SSL VPN web portal enables users to access network resources through a secure channel using a web browser. System administrators can configure log in privileges for users and which network resources are available to these users. The portal configuration determines what the user sees when they log in to the portal. Both system administrators and the users have the ability to customize the SSL VPN portal.

There are three predefined default web portal configurations available:

  • full-access: connecting clients can either access protected resources through the SSL VPN web portal, or use FortiClient to connect through tunnel mode.
  • tunnel-access: connecting clients can only access protected resources with FortiClient connecting through tunnel mode.
  • web-access: connecting clients can only access protected resources through the SSL VPN web portal.

Custom web portals can also be configured.

To configure a custom web portal:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Configure the following settings as needed:

    GUI option

    Description

    Name

    Enter the portal name.

    Limit Users to One SSL-VPN Connection at a Time

    This option is disabled by default. When enabled, once a user logs in to the portal, they cannot go to another system and log in with the same credentials again.

    Tunnel Mode

    Split tunneling

    There are three options:

    • Disabled: all client traffic will be directed over the SSL VPN tunnel.
    • Enabled Based on Policy Destination: only client traffic where the destination matches the destination of the configured firewall policies will be directed over the SSL VPN tunnel.
    • Enabled for Trusted Destinations: only client traffic that does not match explicitly trusted destinations will be directed over the SSL VPN tunnel.

    Routing Address Override

    When Split tunneling is set to Enabled Based on Policy Destination, the IPv4 firewall address selected overrides the firewall policy destination addresses to control split tunnel access.

    When Split tunneling is set to Enabled for Trusted Destinations, the IPv4 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.

    Source IP Pools

    Select an IP pool for users to acquire an IP address when connecting to the portal.

    IPv6 Tunnel Mode

    When enabled, these settings determine how tunnel mode clients are assigned IPv6 addresses.

    IPv6 split tunneling

    The same three options are available as in Tunnel Mode.

    IPv6 Routing Address Override

    When Split tunneling is set to Enabled Based on Policy Destination, the IPv6 firewall address selected overrides the firewall policy destination addresses to control split tunnel access.

    When Split tunneling is set to Enabled for Trusted Destinations, the IPv6 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.

    Source IPv6 Pools

    Select an IP pool for users to acquire an IP address when connecting to the portal.

    Tunnel Mode Client Options

    The following options affect how FortiClient behaves when connected to the VPN tunnel.

    Allow client to save password

    When enabled and if the user selects this option, their password is stored on the their computer and will automatically populate each time they connect to the VPN.

    Allow client to connect automatically

    When enabled and if the user selects this option, when FortiClient launches (such as after a reboot or system start up), FortiClient will automatically attempt to connect to the VPN.

    Allow client to keep connections alive

    When enabled and if the user selects this option, FortiClient will try to reconnect once it detects that the VPN connection is unexpectedly down (not manually disconnected by the user).

    DNS Split Tunneling

    When enabled, the Split DNS table is visible, where new DNS entries can be created. See SSL VPN split DNS for more details.

    Host Check

    When enabled, the type of host checking performed on endpoints can be configured (see Configuring OS and host check).

    Type

    There are three options:

    • Realtime AntiVirus: check for antivirus software recognized by the Windows Security Center.
    • Firewall: check for firewall software recognized by the Windows Security Center.
    • Enable both: check for antivirus and firewall software recognized by the Windows Security Center.

    Restrict to Specific OS Versions

    When enabled, access to certain operating systems can be denied or forced to check for an update. By default, all operating systems in the table are allowed (see Configuring OS and host check).

    Web Mode

    Enable this option to configure the web portal settings.

    Portal Message

    Enter a message that appears at the top of the web portal screen (default = SSL-VPN Portal).

    Theme

    Select a color theme from the dropdown.

    Show Session Information

    Enable to display session information in the top banner of the web portal (username, amount of time logged in, and traffic statistics).

    Show Connection Launcher

    Enable to display the Quick Connection button.

    Show Login History

    Enable to display the user's login history (History).

    User Bookmarks

    Enable to allow users to add their own bookmarks (New Bookmark).

    Rewrite Content IP/UI/

    Enable contents rewrite for URIs containing IP-address/ui/.

    RDP/VNC clipboard

    Enable to support RDP/VPC clipboard functionality.

    Predefined Bookmarks

    Use the table to create and edit predefined bookmarks. See To create a predefined administrator bookmark in FortiOS: for more details.

    FortiClient Download

    Enable this option to display the Download FortiClient button.

    Download Method

    Select either Direct or SSL-VPN Proxy as the method to download FortiClient.

    Customize Download Location

    Enable to configure a custom download location for Windows or Mac.

  3. Click OK.

Tooltip

By default, the browser's language preference is automatically detected and used by the SSL VPN portal login page. The system language can still be used by changing the settings on the SSL-VPN Settings page of the GUI, or disabling browser-language detection in the CLI. See Showing the SSL VPN portal login page in the browser's language for more details.