ssl_vpn_quickstart_guide

8/7/2019 SSL_VPN_Quickstart_Guide

1/13

Object: Fortinet SSL VPN Quickstart Guide

Technical Contact : Fortinet Customer Support

Date : July, 3rd 2008

Reference : Fortinet Technical Note Fortinet Technical Note 030708 v1.0

Version : 1.0

EMEA

Fortinet SSL VPN Quickstart Guide Page 1/13


2/13

Table of Content

...................................................................................................................................................INTRODUCTION 3

PURPOSE OF THIS DOCUMENT.................................................................................................................................3

PRE-REQUISITES.....................................................................................................................................................3EXAMPLE NETWORK..............................................................................................................................................3

........................................................................................................CONFIGURING THE SSL WEB PORTAL 4

ENABLE THE SSL ..........................................................................................................................................VPN 4CREATE A USER......................................................................................................................................................4

CREATE AN SSLVPN GROUP.................................................................................................................................5CREATE AN SSL FIREWALL POLICY.........................................................................................................................6

FOR AN WEB PORTAL BASED SSL VPN ONLY, ONLY A SINGLE INBOUND RULE IS REQUIRED.............................................................................................................................................AS SHOWN ABOVE. 7

TEST THE WEB PORTAL..........................................................................................................................................7

TEST THAT YOU CAN ACCESS RESOURCES ON THE PRIVATE NETWORK BY ENTERING THEIP OF A SYSTEM ON THE INTERNAL NETWORK IN THE TEST FOR REACHABILITY (PING)

......................................SECTION AND CLICK GO. A SUCCESSFUL RESPONSE IS SHOWN BELOW. 8

........................................................................................................CONFIGURING THE SSL WEB PORTAL 9

ADD TUNNEL MODE VPN FIREWALL POLICIES...................................................................................................... 9

ADD ADDITIONAL ROUTE TO THE SSLVPNIPADDRESSES.................................................................................11TEST THE SSLTUNNEL MODE CLIENT.................................................................................................................11

EMEA



3/13

1. Introduction

1.1.Purpose of this document

This document has been developed to describe the minimum steps needed to configure the FortiGateSSL VPN. It is meant to compliment the more extensive SSL VPN Guide and therefore does not coveraspects of the SSL VPN such as AD/LDAP Authentication Integration, creation of bookmarks etc. Forthese more advanced topics, please refer to the SSL VPN Guide available at http://docs.forticare.com/fgt.html.

1.2.Pre-requisites

It is assumed that the FortiGate on which the SSL VPN is being configured has been correctlyconfigured with the relevant network addresses, default route and DNS settings. If this has not beendone, please consult the FortiGate Administration Guide http://docs.forticare.com/fgt.html.

1.3.Example Network

The following simple test network has been used throughout the document.

EMEA

http://docs.forticare.com/fgt.htmlhttp://docs.forticare.com/fgt.htmlhttp://docs.forticare.com/fgt.htmlhttp://docs.forticare.com/fgt.htmlhttp://docs.forticare.com/fgt.htmlhttp://docs.forticare.com/fgt.html


4/13

Configuring the SSL Web Portal

There are several steps involved to creating an SSL VPN connection and if any one is missed out, itwill not function correctly. The steps are as follows and will be expanded on in the sections below:

Enable the SSL VPN

Create a user Create an SSL VPN group Create an SSL firewall policy

1.4.Enable the SSL VPN

Go to VPN > SSL > Config and select the Enable SSL-VPN radio box. There is no need to enter thetunnel IP range if you just want to user the web portal and not tunnel mode but to save time later, entera range as below.

The Tunnel IP Range does not need to be from a range already configured on the FortiGate. In theexample shown, the internal IP range is 192.168.1.0/24 but the tunnel IP range is 192.168.99.0/24.This will be returned to in the tunnel mode configuration section.

1.5.Create a user

Go to User > Local. Select Crete New and enter the username and passwords. Alternatively, theusername and password can be validated via one of the supported directory services (LDAP, AD,RADIUS, TACACS etc). For details of configuring these authentication mechanisms, see the SSL VPNAdministration Guide. Take care not to click disable otherwise the user will not be able to log in.

EMEA



5/13

The configured users can be viewed by going to User > Local.

1.6.Create an SSL VPN group

Go to User > User Group and enter a suitable name for the group, for example, SSL_VPN_Group.Note the use of underscores as spaces are not allowed.

Change the type of group to SSL which changes the options at the bottom of the page. Click to

highlight the users you want to be a member of the group and click on the right arrow to move them tothe members box.

Select to Enable SSL-VPN Tunnel Service.

Select to Enable Web Applications and then select the applications you wish to enable. The remainingoptions can be left disabled until the SSL VPN has been tested.

EMEA



6/13


7/13

For an web portal based SSL VPN only, only a single inbound rule is required as shown above.

1.8.Test the Web Portal

Because the FortiGate unit is managed via HTTPS on port 443, by default, the SSL VPN is configuredto be accessed on port 10443. See the SSL VPN Guide on options for changing this port to a moreuser friendly setting.

Browse to the IP address of the FortiGate unit, specifying port 10443 e.g. https://82.xxx.xxx.146:10443

Enter the user name and password previously configured. Note that the administrator password willnot work here.

EMEA

https://82.xxx.xxx.146:10443/https://82.xxx.xxx.146:10443/https://82.xxx.xxx.146:10443/


8/13

Test that you can access resources on the private network by entering the IP of a system on theinternal network in the Test for Reachability (Ping) section and click Go. A successful response isshown below.

EMEA



9/13

2. Configuring the SSL Web Portal

Once the web portal is working, it needs a few extra changes to get the Tunnel Mode VPN workingcorrectly. The changes are:

Add Tunnel Mode VPN firewall policies

Add additional route to the SSL VPN IP Addresses

2.1. Add Tunnel Mode VPN firewall policies

MR6 has introduced a new feature of a virtual interface for the SSL traffic. This has been introduced toallow additional flexibility including allowing SSL traffic to be routed back out through other VPNs andto the internet.

To enable tunnel mode, firewall policies must be created between the virtual SSL network and theinternal network. In the root VDOM, the virtual SSL network is called ssl.root.

Create a firewall rule between the Internal interface and the ssl.root interface. The policy can be tieddown to restrict the source range to specific IP addresses on the internal network.

Create a firewall rule between the ssl.root interface and the Internal interface. The policy can be tieddown to restrict the source range to specific IP addresses on the internal network.

EMEA



10/13

The firewall policies required for a portal and tunnel mode VPN should look like those below.

EMEA



11/13

2.2. Add additional route to the SSL VPN IP Addresses

In section 2.1, the tunnel IP range was configured to a range not configured on a directly connectedinterface. To tell the FortiGate unit where this IP range is located, a static route must be created.

Go to Router > Static, create a new route for the configured tunnel IP range, setting the device as thessl.root interface. The Distance can be set to 2 which is higher than the directly connected networkand lower than the default route.

2.3.Test the SSL Tunnel Mode Client

Once successfully authenticated to the SSL Portal, select Activate SSL-VPN Tunnel Mode. On the first

connection, an ActiveX plugin is installed into the browser (Firefox and Internet Explorer supported inMR6, Linux and Mac OSX supported as of MR7) and will set up the SSL tunnel to the remote network.

EMEA



12/13

On Windows, installation of administrator rights are required to install/update the plugin, however itworks under normal user privilege after the installation.

Once the SSL VPN Link Status changes to up, an IP address from the tunnel address range will beapplied to the connecting system and the internal systems should be accessible (dependent on thefirewall policies).

EMEA



13/13

Appendix A Debugging SSL VPN Issues

To enable debugging on the SSL VPN, the following commands can be used on the CLI.

diag debug application sslvpn 255diag debug enable

EMEA


ssl_vpn_quickstart_guide

Documents