Configuration of SSL-VPN on MWS HQ Fortigate-

100a, Version 4.0mr3patch10

Introduction SSL VPN access is given to users who need temporary access to MWS network, with a more refined control on

who has access to what resources. Down-side to this set-up is a limited number of connection due to licenses

availability on the Fortigate.

High-level procedures: Info taken from: http://whitehat.williamlee.org/2010/05/fortigate-ssl-vpn-how-to.html

1) Setup user group(s) that allow SSL VPN access and include intended users

2) Setup user account(s)

3) Setup tunnel mode IP address range

4) Add the tunnel mode IP address range to static route

5) Load the private key and certificate to the box

6) Enable SSL VPN, Specify SSL VPN portal TCP port to use 8443

7) Create Firewall Policy to allow SSL VPN and/or tunnel mode access

8) Restart Firewall to allow the login from web-site with port 8443

Steps to configure on Fortigate The steps to configure are outlined below:

1) Create security group

a. Go User > User group > add a new user group: VPN-Users

2) Create new user accounts

a. Go User > User > add a new user

b. Fill in details of new user

c. Add the user to group: VPN-Users

3) Create a new address group for VPN connected users

a. Go to Firewall Objects > Address > Address

b. Create a new range, name it as SSL_VPN_tunnel_ip_range

i. I created a totally separate subnet (impt), so if the local subnet is 192.168.0.*, then the

new range should be something like 192.168.247.*

ii. In my case, I created 192.168.247.[201-210] since I am allowing a max of 10 users.

4) Create the static route for tunnel

a. Go to Router > Static > Static Route

b. Add a new static route with IP/Mask: 192.168.246.20/255.255.255.0 and device ssl.root, with no

gateway details

5) SSL Certificate

a. Go to System > Certificates

b. Go Local certificate to look-see-look-see. Nothing to be done here since I am not going to install

an SSL certificate for this login – save money.

6) To enable SSL VPN access and service

a. Go to VPN > SSL > Config

b. Set the Ip Pools to the SSL_VPN_tunnel_ip_range

c. I set the encryption key algorithm to high

d. Change the login port to 8443 from 10443

e. DNS server 1 to the DC in my LAN (even though its different subnet) – 192.168.0.1

f. DNS server 2 to my ISP – 165.21.83.88

g. WINS server 1 to my DC in my LAN – 192.168.0.1

h. Go to VPN > SSL > Portal – this is to enable the tunnel mode settings for connected users

i. There should be 1 policy there you can click – SSL VPN. Right-click and choose edit

j. Click Settings

k. Enabled HTTP/HTTPS, RDP, PING, RDPnative, changed theme to Gray, set portal message:

Welcome to Our SSL VPN Service

l. At the tunnel mode, click on the ‘pen’ to edit the settings:

i. change IP mode to user group,

ii. set ip-pools to SSL_VPN_tunnel_IP_range, and

iii. tick on split-tunneling

m. Remember to SAVE the settings or it’ll not get saved, it’s at the APPLY button at the top of the

page while in the portal screen.

7) For firewall policy, see below in the Firewall Policy Configuration settings and screen-shot

8) Verify all Admin Settings and Restart the Firewall

a. Go to system > Admin > Settings

b. Check the HTTP, HTTPS port. Ensure that all port configuration is okay.

c. Verify the network interface for WAN1 or WAN2 are set correctly and there’s no NAT in between

to block the SSL VPN connection

d. Enable PING access, HTTPs, HTTP, FMG-Access on the WAN connection that is used for the VPN

e. Restart the firewall, go to System > Dashboard > Dashboard > Choose Restart

Firewall Rules and Configuration As per step 7 above, we need to define the firewall configuration for access to the server(s) that connected users

will have access.

Defining the servers to allow for access We need to specify server addresses in the network address list. The first step to defining policies is to create the

address objects.

1) Go to Firewall Objects > Address > Address

2) Create new devices.

a. Name: Server-(something), eg, Server-HR

b. Address: 192,168.1.1/255.255.255.255

c. Interface: Internal

d. Type: Subnet

3) Once created, we can then set-up internal rules.

Defining the policy on the firewall to allow or disallow access After objects are created, we then can create the relevant firewall rules/

1) First rule to create is to allow VPN connected users to access the internet

2) Next is to allow SSL connection through from the WAN

I am using WAN2 for my main internet connection.

3) The last and final rule to make the connection work is to allow this:

Note the 29.1 as it’s a requirement to specify who (which user group) has access to the server.