SSL VPN using web and tunnel mode – Fortinet Cookbook #forti #ssl #vpn


SSL VPN using web and tunnel mode

Share this post:

In this example, you will allow remote users to access the corporate network using an SSL VPN. connecting either by web mode using a web browser or tunnel mode using FortiClient. This allows users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this example.

For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security scanning to this traffic.

During the connecting phase, the FortiGate will also verify that the remote user s antivirus software is installed and up-to-date.

1. Creating a user and a user group

Go to User Device User Definition. Create a local user account for a SSL VPN user.

I upgraded from 5.2.10 to 5.4.4. Whe ssl-vpn configured in web mode and tunnel mode. We use firefox to connect to work network. But when we login, we don t see tunnel mode and also don t see connect button?

how can I add security policies for access to the Internet if I am using wan load balancing. I cannot find wan1 or wan 2 or wan load balance on outgoing interface

I must be missing something. I followed this recipe with minor changes for IP information. I can authenticate when making the VPN connection. I can check the logs and see the connected client. The client gets a proper address in the subnet that I identified, and gets the DNS entries that I specified but no gateway. The client cannot access anything in the internal LAN. What am I missing?

Hi Michael shot in the dark, but did you add the user group to the sslvpn- internal policy?

Yes. My policy looks identical to that of step 5 above with the exception of the icon for the LAN on the outgoing interface. It has the two green intersecting arrowed lines.

I (thanks to the Fortinet support) found the issue to be the machine I was using to test. I grabbed another laptop and it worked. I reformatted the original laptop and it now works on that as well.

Fantastic! Thanks for following up with us.

Is 10443 port a must if you want to change from default port (443)? I would like to change to a different port than 443 or 10443 but it seems it s not working, am I missing something?

Port 10443 is an unassigned port, which is why it was used for the VPN. Any other unassigned port can also be used without causing conflict.

If you are having trouble using a different port, doublecheck that you are using the correct port number in your URL (if you are using web mode) or FortiClient (for tunnel mode). If after checking this you still have trouble, I would recommend contacting Fortinet Support.

If the subnet from the client is the same that one from the Enterprise network, what to do ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.