Fortinet black logo

Administration Guide

Home FortiProxy 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

SSL-VPN Settings

SSL-VPN Settings

To configure the basic SSL-VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Configure the following settings and then select Apply:

Enable SSL-VPN

Enable to use SSL-VPN.

Listen on Interface(s)

Select + to choose one or more interfaces that the FortiProxy unit will use to listen for SSL-VPN tunnel requests. This is generally your external interface.

Listen on Port

Enter the port number for HTTPS access.

Redirect HTTP to SSL-VPN

Move the slider to redirect the admin HTTP port to the admin HTTPS port.

Restrict Access

Restrict accessibility to either Allow access from any host or to Limit access to specific hosts.

Hosts

If you selected Limit access to specific hosts, enter the hosts.

Idle Logout

Enable if you want the user to log in again after the connection is inactive for the specified number of seconds.

Inactive For

Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL-VPN session. The interface does not time out when web application sessions or tunnels are up.

Server Certificate

Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_Factory), the FortiProxy unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you generate a trusted certificate and import it for use.

Require Client Certificate

Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiProxy unit prompts the client

Address Range

Select Automatically assign addresses or Specify custom IP ranges.

IP Ranges

If you selected Specify custom IP ranges, select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.

DNS Server

Select Same as client system DNS or Specify.

DNS Server #1

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

DNS Server #2

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 DNS Server #1

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 DNS Server #2

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Specify WINS Servers

Move the slider to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

WINS Server #1

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

WINS Server #2

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 WINS Server #1

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 WINS Server #2

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

Create New

Creates an authentication/portal mapping. See Create or edit an authentication/portal mapping.

Edit

Modifies the selected authentication/portal mapping. See Create or edit an authentication/portal mapping.

Delete

Removes the selected authentication/portal mapping.

Send SSL-VPN Configuration

Click to email the SSL-VPN configuration.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

Edit in CLI

Click to open a CLI console window to view and edit the setting in the CLI. If there are multiple CLI settings on the page, the CLI console shows the first setting.
To use the API Preview:

  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

Dual-stack IPv4 and IPv6 support for SSL VPN

Dual-stack IPv4 and IPv6 support for SSL-VPN servers and clients enables a client to establish a dual-stack tunnel to allow both IPv4 and IPv6 traffic to pass through. FortiProxy SSL-VPN clients also support dual stack, which allows it to establish dual stack tunnels with other FortiProxy units.

Users connecting in web mode can connect to the web portal over IPv4 or IPv6. They can access bookmarks in either IPv4 or IPv6, depending on the preferred DNS setting of the web portal.

To enable dual stack in the CLI:
config vpn ssl settings
    set dual-stack-mode enable
end
Previous
Next

SSL-VPN Settings

To configure the basic SSL-VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Configure the following settings and then select Apply:

Enable SSL-VPN

Enable to use SSL-VPN.

Listen on Interface(s)

Select + to choose one or more interfaces that the FortiProxy unit will use to listen for SSL-VPN tunnel requests. This is generally your external interface.

Listen on Port

Enter the port number for HTTPS access.

Redirect HTTP to SSL-VPN

Move the slider to redirect the admin HTTP port to the admin HTTPS port.

Restrict Access

Restrict accessibility to either Allow access from any host or to Limit access to specific hosts.

Hosts

If you selected Limit access to specific hosts, enter the hosts.

Idle Logout

Enable if you want the user to log in again after the connection is inactive for the specified number of seconds.

Inactive For

Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL-VPN session. The interface does not time out when web application sessions or tunnels are up.

Server Certificate

Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_Factory), the FortiProxy unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you generate a trusted certificate and import it for use.

Require Client Certificate

Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiProxy unit prompts the client

Address Range

Select Automatically assign addresses or Specify custom IP ranges.

IP Ranges

If you selected Specify custom IP ranges, select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.

DNS Server

Select Same as client system DNS or Specify.

DNS Server #1

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

DNS Server #2

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 DNS Server #1

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 DNS Server #2

If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Specify WINS Servers

Move the slider to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

WINS Server #1

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

WINS Server #2

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 WINS Server #1

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

IPv6 WINS Server #2

If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.

Create New

Creates an authentication/portal mapping. See Create or edit an authentication/portal mapping.

Edit

Modifies the selected authentication/portal mapping. See Create or edit an authentication/portal mapping.

Delete

Removes the selected authentication/portal mapping.

Send SSL-VPN Configuration

Click to email the SSL-VPN configuration.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

Edit in CLI

Click to open a CLI console window to view and edit the setting in the CLI. If there are multiple CLI settings on the page, the CLI console shows the first setting.
To use the API Preview:

  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

Dual-stack IPv4 and IPv6 support for SSL VPN

Dual-stack IPv4 and IPv6 support for SSL-VPN servers and clients enables a client to establish a dual-stack tunnel to allow both IPv4 and IPv6 traffic to pass through. FortiProxy SSL-VPN clients also support dual stack, which allows it to establish dual stack tunnels with other FortiProxy units.

Users connecting in web mode can connect to the web portal over IPv4 or IPv6. They can access bookmarks in either IPv4 or IPv6, depending on the preferred DNS setting of the web portal.

To enable dual stack in the CLI:
config vpn ssl settings
    set dual-stack-mode enable
end
Previous
Next