SSL VPN
Important: When SSL VPN Settings are applied, all existing SSL VPN connections are disconnected, regardless of portal. Applying SSL VPN Settings should be done during a Maintenance Window.
Configure both DNS addresses via CLI. DNS addresses do not appear in the UI until after they've been configured once in CLI. |
Configure the VPN portals and settings:
-
Address Object(s) configured with the VPN scope(s) just created
-
Production DNS server IP address for DNS Server #1
-
FortiNAC's VPN interface address for DNS Server #2
-
Domain Name for agent communication (required if agents are delivered through Captive Portal):
-
Must match the domain to be configured in the VPN scope of FortiNAC. FortiNAC only answers SRV queries from connecting agents sourced from this domain. See DNS File Entry Descriptions in the Appendix for details.
-
If FortiNAC is managing multiple VPN scopes where agents are delivered through the portal, they must all use the same domain.
-
Avoid using .local suffix. macOS and some Linux systems may have communication issues.
-
VPN Portals
UI
-
Navigate to VPN > SSL-VPN Portals
-
Configure using VPN IP address objects just configured
-
Click OK to save
CLI Example
config vpn ssl web portal
edit "FNAC_SSL_Portal"
set tunnel-mode enable
set web-mode enable
set ip-pools "FNAC_SSL_VPN_ADDR" >> Address Object
set split-tunneling disable
set dns-server1 10.200.20.50 >> Production DNS
set dns-server2 10.200.5.22 >>
FortiNAC ETH1_VPN Interface IP
set dns-suffix "Internal-Lab.info" >> Set Domain Name as DNS-Suffix
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
VPN Settings
Important:
-
Applying SSL VPN Settings disconnects all existing SSL VPN connections on the FortiGate. If there are VPN tunnels in production, this should be done during a Maintenance Window.
-
VPN settings should be configured via CLI in order to apply them to the specific portal (UI configures all SSL portals).
-
Domain Name for agent communication
config vpn ssl settings
set ssl-min-proto-ver tls1-1
set servercert "Fortinet_Factory"
set tunnel-ip-pools "FNAC_SSL_VPN_ADDR"
set dns-suffix "Internal-Lab.info" >> Set Domain Name as DNS-Suffix
set dns-server1 10.200.20.50 >> Production DNS
set dns-server2 10.200.5.22 >>
FortiNAC ETH1_VPN Interface IP
set port 4443
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 2
set groups "SSL-Users"
set portal "full-access"
next
edit 3
set portal "FNAC_SSL_Portal" >> Apply to "FNAC_SSL_Portal" only
next
end
end
Proceed to Configure FortiNAC.