Professional Documents
Culture Documents
Version : 1.0
Table of Content
INTRODUCTION................................................................................................................................................... 3
PURPOSE OF THIS DOCUMENT................................................................................................................................. 3
PRE-REQUISITES..................................................................................................................................................... 3
EXAMPLE NETWORK.............................................................................................................................................. 3
CONFIGURING THE SSL WEB PORTAL ........................................................................................................ 4
ENABLE THE SSL VPN.......................................................................................................................................... 4
CREATE A USER...................................................................................................................................................... 4
CREATE AN SSL VPN GROUP................................................................................................................................. 5
CREATE AN SSL FIREWALL POLICY......................................................................................................................... 6
FOR AN WEB PORTAL BASED SSL VPN ONLY, ONLY A SINGLE INBOUND RULE IS REQUIRED
AS SHOWN ABOVE. ............................................................................................................................................. 7
TEST THE WEB PORTAL.......................................................................................................................................... 7
TEST THAT YOU CAN ACCESS RESOURCES ON THE PRIVATE NETWORK BY ENTERING THE
IP OF A SYSTEM ON THE INTERNAL NETWORK IN THE TEST FOR REACHABILITY (PING)
SECTION AND CLICK GO. A SUCCESSFUL RESPONSE IS SHOWN BELOW. ......................................8
CONFIGURING THE SSL WEB PORTAL ........................................................................................................ 9
ADD TUNNEL MODE VPN FIREWALL POLICIES...................................................................................................... 9
ADD ADDITIONAL ROUTE TO THE SSL VPN IP ADDRESSES................................................................................. 11
TEST THE SSL TUNNEL MODE CLIENT................................................................................................................. 11
1. Introduction
1.1.Purpose of this document
This document has been developed to describe the minimum steps needed to configure the FortiGate
SSL VPN. It is meant to compliment the more extensive SSL VPN Guide and therefore does not cover
aspects of the SSL VPN such as AD/LDAP Authentication Integration, creation of bookmarks etc. For
these more advanced topics, please refer to the SSL VPN Guide available at http://docs.forticare.com/
fgt.html.
1.2.Pre-requisites
It is assumed that the FortiGate on which the SSL VPN is being configured has been correctly
configured with the relevant network addresses, default route and DNS settings. If this has not been
done, please consult the FortiGate Administration Guide http://docs.forticare.com/fgt.html.
1.3.Example Network
The following simple test network has been used throughout the document.
Go to VPN > SSL > Config and select the Enable SSL-VPN radio box. There is no need to enter the
tunnel IP range if you just want to user the web portal and not tunnel mode but to save time later, enter
a range as below.
The Tunnel IP Range does not need to be from a range already configured on the FortiGate. In the
example shown, the internal IP range is 192.168.1.0/24 but the tunnel IP range is 192.168.99.0/24.
This will be returned to in the tunnel mode configuration section.
1.5.Create a user
Go to User > Local. Select Crete New and enter the username and passwords. Alternatively, the
username and password can be validated via one of the supported directory services (LDAP, AD,
RADIUS, TACACS etc). For details of configuring these authentication mechanisms, see the SSL VPN
Administration Guide. Take care not to click disable otherwise the user will not be able to log in.
Change the type of group to SSL which changes the options at the bottom of the page. Click to
highlight the users you want to be a member of the group and click on the right arrow to move them to
the members box.
Select to Enable Web Applications and then select the applications you wish to enable. The remaining
options can be left disabled until the SSL VPN has been tested.
Once all of the other configurations have been made, the final change is to create a rule that will
trigger the SSL VPN.
Select the source to be the interface the users will be accessing the SSL from, for example, the
internet connection. In this case it is WAN1. The example above does not restrict the IP range the
users can connect from allowing them to connect from anywhere on the internet.
The Destination address can be limited to allow users to only access selected systems on the internal
network. For the purposes of this example, the IP range that can be accessed has not been limited (it
has been set to “Any”).
For an web portal based SSL VPN only, only a single inbound rule is required as shown above.
Browse to the IP address of the FortiGate unit, specifying port 10443 e.g. https://82.xxx.xxx.146:10443
Enter the user name and password previously configured. Note that the administrator password will
not work here.
Test that you can access resources on the private network by entering the IP of a system on the
internal network in the Test for Reachability (Ping) section and click Go. A successful response is
shown below.
MR6 has introduced a new feature of a virtual interface for the SSL traffic. This has been introduced to
allow additional flexibility including allowing SSL traffic to be routed back out through other VPNs and
to the internet.
To enable tunnel mode, firewall policies must be created between the virtual SSL network and the
internal network. In the root VDOM, the virtual SSL network is called ssl.root.
Create a firewall rule between the Internal interface and the ssl.root interface. The policy can be tied
down to restrict the source range to specific IP addresses on the internal network.
Create a firewall rule between the ssl.root interface and the Internal interface. The policy can be tied
down to restrict the source range to specific IP addresses on the internal network.
The firewall policies required for a portal and tunnel mode VPN should look like those below.
Go to Router > Static, create a new route for the configured tunnel IP range, setting the device as the
ssl.root interface. The Distance can be set to 2 which is higher than the directly connected network
and lower than the default route.
On Windows, installation of administrator rights are required to install/update the plugin, however it
works under normal user privilege after the installation.
Once the SSL VPN Link Status changes to up, an IP address from the tunnel address range will be
applied to the connecting system and the internal systems should be accessible (dependent on the
firewall policies).