Fortinet black logo

Administration Guide

Creating SSL VPNs

Creating SSL VPNs

To create SSL VPNs, you must be logged in as an administrator with sufficient privileges. Multiple VPNs can be created.

To add SSL-VPN:
  1. Go to VPN Manager > SSL-VPN > Settings.
  2. Click Create New in the content toolbar. The Create SSL VPN Settings pane is displayed.

  3. Configure the following settings, then click OK to create the VPN.

    Device

    Select a FortiGate device or VDOM.

    Connection Settings

    Specify the connection settings.

    Listen on Interface(s)

    Define the interface the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.

    Listen on Port

    Enter the port number for HTTPS access.

    Restrict Access

    Allow access from any hosts, or limit access to specific hosts. If limiting access, select the hosts that have access in the Hosts field.

    Idle Logout

    Select to enable idle timeout. When enabled, enter the amount of time that the connection can remain inactive before timing out in theInactive For field, in seconds(10 - 28800, default = 300).

    This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.

    Server Certificate

    Select the signed server certificate to use for authentication. Alternately, select a certificate template that is configured to use the FortiManager CA. See Certificate templates.

    Require Client Certificate

    Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process. For information on using PKI to provide client certificate authentication, see the Authentication Guide.

    Tunnel Mode Client Settings

    Specify tunnel mode client settings. These settings determine how tunnel mode clients are assigned IP addresses.

    Address Range

    Either automatically assign address, or specify custom IP ranges.

    DNS Server

    Select to use the same DNS as the client system, or to specify DNS servers. Enter up to two DNS servers to be provided for the use of clients.

    Specify WINS Servers

    Select to specify WINS servers. Enter up to two WINS servers to be provided for the use of clients.

    Allow Endpoint Registration

    Select to allow endpoint registration.

    Authentication/Portal Mapping

    Select the users and groups that can access the tunnel.

    Note: the default portal cannot be empty.

    Create New

    Create a new authentication/portal mapping entry. Select the Users, Groups, Realm, and Portal, then click OK.

    Edit

    Edit the selected mapping.

    Delete

    Delete the selected mapping or mappings.

    Advanced Options

    Configure advanced SSL VPN options. For information, see the FortiOS CLI Reference.

Creating SSL VPNs

To create SSL VPNs, you must be logged in as an administrator with sufficient privileges. Multiple VPNs can be created.

To add SSL-VPN:
  1. Go to VPN Manager > SSL-VPN > Settings.
  2. Click Create New in the content toolbar. The Create SSL VPN Settings pane is displayed.

  3. Configure the following settings, then click OK to create the VPN.

    Device

    Select a FortiGate device or VDOM.

    Connection Settings

    Specify the connection settings.

    Listen on Interface(s)

    Define the interface the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.

    Listen on Port

    Enter the port number for HTTPS access.

    Restrict Access

    Allow access from any hosts, or limit access to specific hosts. If limiting access, select the hosts that have access in the Hosts field.

    Idle Logout

    Select to enable idle timeout. When enabled, enter the amount of time that the connection can remain inactive before timing out in theInactive For field, in seconds(10 - 28800, default = 300).

    This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.

    Server Certificate

    Select the signed server certificate to use for authentication. Alternately, select a certificate template that is configured to use the FortiManager CA. See Certificate templates.

    Require Client Certificate

    Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process. For information on using PKI to provide client certificate authentication, see the Authentication Guide.

    Tunnel Mode Client Settings

    Specify tunnel mode client settings. These settings determine how tunnel mode clients are assigned IP addresses.

    Address Range

    Either automatically assign address, or specify custom IP ranges.

    DNS Server

    Select to use the same DNS as the client system, or to specify DNS servers. Enter up to two DNS servers to be provided for the use of clients.

    Specify WINS Servers

    Select to specify WINS servers. Enter up to two WINS servers to be provided for the use of clients.

    Allow Endpoint Registration

    Select to allow endpoint registration.

    Authentication/Portal Mapping

    Select the users and groups that can access the tunnel.

    Note: the default portal cannot be empty.

    Create New

    Create a new authentication/portal mapping entry. Select the Users, Groups, Realm, and Portal, then click OK.

    Edit

    Edit the selected mapping.

    Delete

    Delete the selected mapping or mappings.

    Advanced Options

    Configure advanced SSL VPN options. For information, see the FortiOS CLI Reference.