Troubleshooting

This section contains tips to help you with some common challenges of SSL VPNs.

• Enter the following to display debug messages for SSL VPN: diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results. l Enter the following command to verify the debug configuration:

diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows what filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems.

• Enter the following to enable displaying debug messages: diagnose debug enable

To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 l Enter the following to stop displaying debug messages: diagnose debug disable

The following is a list of potential issues. The suggestions below are not exhaustive, and may not reflect your network topology.

There is no response from the SSL VPN URL.

• Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also, verify that the SSL VPN policy is configured correctly. l Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>/remote/login

Troubleshooting

• Ensure that you are using the correct port number in the URL.

FortiClient cannot connect.

Read the Release Notes to ensure that the version of FortiClient you are using is compatible with your version of FortiOS.

Tunnel-mode connection shuts down after a few seconds.

This issue can occur when there are multiple interfaces connected to the Internet (for example, a dual WAN). Upgrade to the latest firmware then use the following CLI command:

config vpn ssl settings set route-source-interface enable

end

When you attempt to connect using FortiClient or in Web mode, you are returned to the login page, or you receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).”

• Ensure that cookies are enabled in your browser. l If you are using a remote authentication server, ensure that the FortiGate is able to communicate with it.
• Access to the web portal or tunnel will fail if Internet Explorer has the privacy Internet Options set to High. If set to High, Internet Explorer will block cookies that do not have a compact privacy policy, and that use personally identifiable information without your explicit consent.

You receive an error message stating: “Destination address of Split Tunneling policy is invalid.“

The SSL VPN security policy uses the ALL address as its destination. Change the address to that of the protected network instead.

The tunnel connects but there is no communication.

Go to Network > Static Routes and ensure that there is a static route to direct packets destined for the tunnel users to the SSL VPN interface.

You can connect remotely to the VPN tunnel but are unable to access the network resources.

Go to Policy & Objects > IPv4 Policy and examine the policy allowing VPN access to the local network. If the destination address is set to all, create a firewall address for the internal network. Change the destination address and attempt to connect remotely again.

Users are unable to download the SSL VPN plugin.

Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.

Users are being assigned to the wrong IP range.

Ensure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings will be used.

Troubleshooting

Flow-based (vdom) AntiVirus profiles in SSL VPN web mode limitation

In flow mode vdom, SSL VPN web mode doesn’t block antivirus even when av-profile is set (however, SSL VPN tunnel mode AV profile does work).

Sending tunnel statistics to FortiAnalyzer

By default, logged events include tunnel-up and tunnel-down status events. Other events, by default, will appear in the FortiAnalyzer report as “No Data Available”. More accurate results require logs with action=tunnelstats, which is used in generating reports on the FortiAnalyzer (rather than the tunnel-up and tunnel-down event logs). The FortiGate does not, by default, send tunnel-stats information.

To allow VPN tunnel-stats to be sent to FortiAnalyzer, configure the FortiGate unit as follows using the CLI:

config system settings set vpn-stats-log ipsec ssl set vpn-stats-period 300 end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Setup examples

The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page 17.

The following examples are included:

Secure Internet browsing

Split Tunnel

Multiple user groups with different access permissions

Client device certificate authentication with multiple groups

Secure Internet browsing

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.

Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.

Creating an SSL VPN IP pool and SSL VPN web portal

1. Go to VPN > SSL-VPN Portals and select tunnel-access.
2. Disable Split Tunneling.
3. For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
4. Select OK.

Creating the SSL VPN user and user group

1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
2. Go to User & Device > User Definition and select Create New to add the user:

 

Secure Internet browsing

User Name	twhite
Password	password

3. Select OK.
4. Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:

Name		SSL VPN
Type		Firewall

5. Move twhite to the Members
6. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

1. Go to Network > Static Routes and select Create New to add the static route.

Destination IP/Mask	10.212.134.0/255.255.255.0
Device	ssl.root

2. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Add an SSL VPN security policy as below, and click OK.

Incoming Interface	ssl.root
Outgoing Interface	internal
Source Address	all
Source User Group	SSL VPN
Destination	all

3. Select OK.

Split Tunnel

Configuring authentication rules

1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
2. Add an authentication rule for the remote user:

Users/Groups	Tunnel
Portal	tunnel-access

3. Select OK and Apply.

Results

Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.

From the FortiGate web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.

Split Tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user’s indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

1. Go to Policy & Objects > Addresses and select Create New and add the head office server address:

Category	Address
Name	Head office server
Type	Subnet
Subnet / IP Range	192.168.1.12
Interface	Internal

Split Tunnel

2. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

1. Go to VPN > SSL-VPN Portals and select tunnel-access.
2. Enter the following:

Name	Connect to head office server
Enable Tunnel Mode	Enable
Enable Split Tunneling	Enable
Routing Address	Internal
Source IP Pools	SSLVPN_TUNNEL_ADDR1

3. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

1. Go to User & Device > User Definition, select Create New and add the user:

User Name	twhite
Password	password

2. Select OK.
3. Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:

Name		Tunnel
Type		Firewall

4. Move twhite to the Members
5. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

1. Go to Network > Static Routes and select Create New

Destination IP/Mask	10.212.134.0/255.255.255.0
Device	ssl.root

2. Select OK.

Split Tunnel

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Complete the following:

Incoming Interface	ssl.root
Source Address	all
Source User(s)	Tunnel
Outgoing Interface	internal
Destination Address	Head office server

3. Select OK.
4. Add a security policy that allows remote SSL VPN users to connect to the Internet.
5. Select Create New.
6. Complete the following and select OK:

Incoming Interface	ssl.root
Source Address	all
Source User(s)	Tunnel
Outgoing Interface	wan1
Destination Address	all
Schedule	always
Service	ALL
Action	ACCEPT

Configuring authentication rules

1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
2. Add an authentication rule for the remote user:

Users/Groups	Tunnel
Portal	tunnel-access

3. Select OK and Apply.

 

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.

Multiple user groups with different access permissions

You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. In this example configuration, there are two users:

l User1 can access the servers on Subnet_1. l User2 can access the workstation PCs on Subnet_2.

You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

General configuration steps

1. Create firewall addresses for: l The destination networks.
   • Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
2. Create two web portals.
3. Create two user accounts, User1 and User2.
4. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
5. Create security policies:
   • Two SSL VPN security policies, one to each destination. l Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
6. Create the static route to direct packets for the users to the tunnel.

Creating the firewall addresses

Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.

Creating the destination addresses

SSL VPN users in this example can access either Subnet_1 or Subnet_2.

Multiple user groups with different access permissions

To define destination addresses – web-based manager:

1. Go to Policy & Objects > Addresses.
2. Select Create New, enter the following information, and select OK:

Name	Subnet_1
Type	Subnet
Subnet/IP Range	10.11.101.0/24
Interface	port2

3. Select Create New, enter the following information, and select OK:

Name	Subnet_2
Type	Subnet
Subnet/IP Range	10.11.201.0/24
Interface	port3

Creating the tunnel client range addresses

To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.

To define tunnel client addresses – web-based manager:

1. Go to Policy & Objects > Addresses.
2. Select Create New, enter the following information, and select OK:

Name	Tunnel_group1
Type	IP Range
Subnet/IP Range	10.11.254.1-10.11.254.50
Interface	Any

3. Select Create New, enter the following information, and select OK.

Name	Tunnel_group2
Type	IP Range
Subnet/IP Range	10.11.254.51-10.11.254.100
Interface	Any

Creating the web portals

To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.

To create the portal1 web portal:

1. Go to VPN > SSL-VPN Portals and select Create New.
2. Enter portal1 in the Name
3. In Source IP Pools, select Tunnel_ group1.
4. Select OK.

To create the portal2 web portal:

1. Go to VPN > SSL-VPN Portals and select Create New.
2. Enter portal2 in the Name field and select OK. In IP Pools, select Tunnel_ group2
3. Select OK.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.

Creating the user accounts and user groups

After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.

Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.

To create the user groups – web-based manager:

1. Go to User & Device > User Groups.
2. Select Create New and enter the following information:

Name		Group1
Type		Firewall

3. From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
4. Select OK.
5. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.

Creating the security policies

You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page 59.

Multiple user groups with different access permissions

Two types of security policy are required:

• An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
• A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.

To create the SSL VPN security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter the following information and click OK:

Incoming Interface	ssl.root (sslvpn tunnel interface)
Source Address	All
Source User(s)	Group1
Outgoing Interface	port2
Destination Address	Subnet_1
Service	All

3. Select Create New.
4. Enter the following information:

Incoming Interface	ssl.root (sslvpn tunnel interface)
Source Address	All
Source User(s)	Group2
Outgoing Interface	port3
Destination Address	Subnet_2
Service	All

5. Click OK.

Configuring authentication rules

1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
2. Add an authentication rule for the first remote group:

Users/Groups	Group1
Portal	Portal1

3. Select OK and Apply.
4. Select Create New and add an authentication rule for the second remote group:

Users/Groups	Group2
Portal	Portal2

5. Select OK and Apply.

To create the tunnel-mode security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter the following information, and select OK:

Incoming Interface	ssl.root (sslvpn tunnel interface)
Source Address	Tunnel_group1
Source User(s)	Group1
Outgoing Interface	port2
Destination Address	Subnet_1
Service	All
Action	ACCEPT
Enable NAT	Enable

3. Select Create New.
4. Enter the following information, and select OK:

Incoming Interface	ssl.root (sslvpn tunnel interface)
Source Address	Tunnel_group2
Source User(s)	Group2
Outgoing Interface	port3
Destination Address	Subnet_2
Service	All
Action	ACCEPT
Enable NAT	Enable

Client device certificate authentication with multiple groups

Create the static route to tunnel mode clients

Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.

To add a route to SSL VPN tunnel mode clients – web-based manager:

1. Go to Network > Static Routes and select Create New.
2. Enter the following information and select OK.

Destination IP/Mask	10.11.254.0/24 This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses on page 60.
Device	Select the SSL VPN virtual interface, ssl.root for example.

Client device certificate authentication with multiple groups

In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.

This can only be performed in the CLI console.

The Authentication-rule option is only available in theCLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.

Configuring SSL VPN shared settings and authentication rules – CLI:

The following example assumes that remote LDAP users/groups have been pre-configured.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set port 443 set source-interface “wan1” set source-address “all”

 

Client device certificate authentication with multiple groups

set default-portal “full-access” config authentication-rule edit 1 set source-interface “wan1 set source-address “all” set groups “Employees” set portal “full-access” set client-cert enable

next edit 2 set source-interface “wan1” set source-address “all” set groups “Vendors” set portal “full-access” set client-cert disable <– Set by default and will not be displayed.

next

end

end

Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).

If configured correctly, only the ‘Employees’ group should require a client certificate to authenticate to the VPN.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

The SSL VPN web portal

This chapter explains how to use and configure the web portal features. This chapter is written for end users as well as administrators.

The following topics are included:

Connecting to the FortiGate unit

Web portal overview

Portal configuration

Using the Bookmarks widget

Using the Quick Connection Tool

Using the SSL VPN virtual desktop

Using FortiClient

Connecting to the FortiGate unit

You can connect to the FortiGate unit using a web browser. The URL of the FortiGate interface may vary from one installation to the next. If required, ask your FortiGate administrator for the URL of the FortiGate unit, and obtain a user name and password. You can connect to the web portal using an Android phone, iPhone, or iPad. The FortiGate unit will display the content of the portal to fit the device’s screen.

In addition, if you will be using a personal or group security (X.509) certificate to connect to the FortiGate unit, your web browser may prompt you for the name of the certificate. Your FortiGate administrator can tell you which certificate to select.

To log into the secure FortiGate HTTP gateway

1. Using the web browser on your computer, browse to the URL of the FortiGate unit (for example, https://<FortiGate_IP_address>:443/remote/login). The FortiGate unit may offer you a self-signed security certificate. If you are prompted to proceed, select Yes.

A second message may be displayed to inform you that the FortiGate certificate distinguished name differs from the original request. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. You can ignore the message.

2. When you are prompted for your user name and password:
   • In the Name field, type your user name.
   • In the Password field, type your password.
3. Select Login.

The FortiGate unit will redirect your web browser to the FortiGate SSL VPN web portal home page automatically.

Web portal overview

After logging in to the web portal, the remote user is presented with a web portal page similar to the following:

 

Portal

Various widgets provide the web portal’s features:

• Session Information displays the elapsed time since login and the volume of HTTP and HTTPS traffic, both inbound and outbound.
• Quick Connection enables you to connect to network resources without using or creating a bookmark. l Download Forticlient provides access to the FortiClient tunnel application for various operating systems.
• Bookmarks provides links to network resources. You can use the administrator-defined bookmarks and you can

add your own bookmarks.

While using the web portal, you can select the Help button to get information to assist you in using the portal features. This information displays in a separate browser window.

When you have finished using the web portal, select the Logout button in the top right corner of the portal window.

Portal configuration

The SSL VPN web portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.

Portal configuration

The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

• full-access: Includes all widgets available to the user – Session Information, Tunnel Mode options, Connection Launcher, Remote Desktop, and Predefined Bookmarks. l tunnel-access: Includes Session Information and Tunnel Mode
• web-access: Includes Session Information and Predefined Bookmarks

You can also create your own web portal to meet your corporate requirements.

Portal page
Create New	Creates a new web portal.
Edit	Select a portal from the list to enable the Edit option, and modify the portal configuration.
Delete	Removes a portal configuration. To remove multiple portals from the list, select the check box beside the portal names, then select Delete.
Name	The name of the web portal.
Ref.	Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies. To view the location of the referenced object, select the number in Ref. column. To view more information about how the object is used, select one of: View the list page for these objects – automatically redirects you to the list page where the object is referenced at. Edit this object – modifies settings within that particular setting that the object is referenced with. View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.

Portal settings

A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL-VPN Portals.

The following settings are available, allow you to configure general and security console options for your web portal.

Portal

Portal Setting	Description
Name	The name for the portal.
Limit Users to One SSL-VPN Connection at a Time	You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode	These settings determine how tunnel mode clients are assigned IPv4 addresses.
Enable Split Tunneling	Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route. If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.
Source IP Pools	Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
Tunnel Mode Client Options	These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default. l Allow client to save password – When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN. l Allow client to connect automatically – When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel. l Allow client to keep connections alive – When enabled, if the user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).
Enable Web Mode	Select to enable web mode access.
Portal Message	This is a text header that appears on the top of the web portal.

Portal configuration

Portal Setting	Description
Theme	Select a color styling specifically for the web portal.
Show Session Information	The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher	Displays the Connection Launcher widget in the web portal.
Show Login History	Select to include user login history on the web portal.
User Bookmarks	Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks	Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML filebrowser.

Predefined Bookmarks

Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, RDP, and VNC pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform	Model
FortiGate	80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C
FortiGate-Rugged	90D
FortiWiFi	92D

A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

Applications available in the web portal

Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Predefined Bookmarks, as well as the Quick Connection widget:

• Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
• FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.

 

Using the Bookmarks widget

• HTTP/HTTPS accesses web pages.
• Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server. l RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
• SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
• SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
• TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
• VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.

Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks – CLI:

config vpn ssl web portal edit “portal-name” set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark edit “group-name” config bookmark edit “bookmark1” ….

next

end

next

end

Using the Bookmarks widget

The Bookmarks widget shows both administrator-configured and user-configured bookmarks. Administrator bookmarks cannot be altered but you can add, edit or delete user bookmarks.

Bookmarks widget

The FortiGate unit forwards client requests to servers on the Internet or internal network. To use the web-portal applications, you add the URL, IP address, or name of the server application to the My Bookmarks list. For more information, see Adding bookmarks on page 48.

If you want to access a web server or telnet server without first adding a bookmark to the My Bookmarks list, use the Connection Tool instead. For more information, see Using the Bookmarks widget on page 47.

Adding bookmarks

You can add frequently used connections as bookmarks. Afterward, select any hyperlink from the Bookmarks list to initiate a session.

To add a bookmark

1. In the web portal, select New Bookmark.
2. Enter the following information:

Name	Enter the name to display in the Bookmarks list.
Type	Select the abbreviated name of the server application or network service from the drop-down list.
Location	Enter the IP address or FQDN of the server application or network service. For RDP connections, you can append some parameters to control screen size and keyboard layout. See Using the Bookmarks widget on page 47.
Description	Optionally enter a short description. The description displays when you pause the mouse pointer over the hyperlink.
SSO	Single Sign On (SSO) is available for HTTP/HTTPS bookmarks only. Disabled — This is not an SSO bookmark. Automatic — Use your SSL VPN credentials or an alternate set. See the SSO Credentials field. Static — Supply credentials and other required information (such as an account number) to a web site that uses an HTML form for authentication. You provide a list of the form field names and the values to enter into them. This method does not work for sites that use HTTP authentication, in which the browser opens a pop-up dialog box requesting credentials.
SSO fields
SSO Credentials	SSL VPN Login — Use your SSL VPN login credentials. Alternative — Enter Username and Password below.
Username	Alternative username. Available if SSO Credentials is Alternative.

48

Using the Bookmarks widget

Password	Alternative password. Available if SSO Credentials is Alternative.
Static SSO fields	These fields are available if SSO is Static.
Field Name	Enter the field name, as it appears in the HTML form.
Value	Enter the field value. To use the values from SSO Credentials, enter %passwd% for password or %username% for username.
Add	Add another Field Name / Value pair.

3. Select OK and then select Done.

Group-based SSL VPN bookmarks

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit “portal-name” set user-group-bookmark enable*/disable

next

end

conf vpn ssl web user-group-bookmark edit “group-name” conf bookmark edit “bookmark1” ….

next

end

next

end

Group-based SSL VPN bookmarks

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit <portal-name> set user-group-bookmark [enable | disable]

next

end

config vpn ssl web user-group-bookmark edit <group-name> config bookmark edit <bookmark1> …. next

Quick Connection Tool

end

next

end

Using the Quick Connection Tool

The Quick Connection Tool widget enables a user to connect to a resource when it isn’t a predefined bookmark.

You can connect to any type of server without adding a bookmark to the Bookmarks list. The fields in the Quick Connection Tool enable you to specify the type of server and the URL or IP address of the host computer.

See the following procedures:

l To connect to a web server on page 50 l To ping a host or server behind the FortiGate unit on page 50 l To start a Telnet session on page 51 l To start an FTP session on page 51 l To start an SMB/CIFS session on page 51 l To start an SSH session on page 52 l To start an RDP session on page 52 l To start a VNC session on page 52

Except for ping, these services require that you have an account on the server to which you connect.

When you use the Connection Tool, the FortiGate unit may offer you its self-signed security certificate. Select Yes to proceed. A second message may be displayed to inform you of a host name mismatch. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. Select Yes to proceed.

To connect to a web server

1. In Type, select HTTP/HTTPS.
2. In the Host field, type the URL of the web server.

For example: http://www.mywebexample.com or https://172.20.120.101

3. Select Go.
4. To end the session, close the browser window.

To ping a host or server behind the FortiGate unit

1. In Type, select Ping.
2. In the Host field, enter the IP address of the host or server that you want to reach. For example: 11.101.22
3. Select Go.

A message stating whether the IP address can be reached or not is displayed.

50

Using the Quick Connection Tool

To start a Telnet session

1. In Type, select Telnet.
2. In the Host field, type the IP address of the telnet host. For example: 11.101.12
3. Select Go.

A Telnet window opens.

4. Select Connect.
5. A telnet session starts and you are prompted to log in to the remote host.

After you log in, you may enter any series of valid telnet commands at the system prompt.

6. To end the session, select Disconnect (or type exit) and then close the TELNET connection window.

To start an FTP session

1. In Type, select FTP.
2. In the Host field, type the IP address of the FTP server. For example: 11.101.12
3. Select Go.

A login window opens.

4. Enter your user name and password and then select Login. You must have a user account on the remote host to log in.
5. Manipulate the files in any of the following ways:
   • To download a file, select the file link in the Name
   • To access a subdirectory (Type is Folder), select the link in the Name
   • To create a subdirectory in the current directory, select New directory. l To delete a file or subdirectory from the current directory, select its Delete
   • To rename a file in the current directory, select its Rename l To upload a file to the current directory from your client computer, select Upload. l When the current directory is a subdirectory, you can select Up to access the parent directory.
6. To end the FTP session, select Logout.

To start an SMB/CIFS session

1. In Type, select SMB/CIFS.
2. In the Host field, type the IP address of the SMB or CIFS server. For example: 11.101.12
3. Select Go.
4. Enter your user name and password and then select Login. You must have a user account on the remote host to log in.
5. Manipulate the files in any of the following ways:
   • To download a file, select the file link in the Name l To access a subdirectory (Type is Folder), select the file link in the Name column.
   • To create a subdirectory in the current directory, select New Directory. l To delete a file or subdirectory from the current directory, select its Delete l To rename a file, select its Rename icon.

 

Quick Connection Tool

• To upload a file from your client computer to the current directory, select Upload.
• When the current directory is a subdirectory, you can select Up to access the parent directory.

6. To end the SMB/CIFS session, select Logout and then close the SMB/CIFS window.

To start an SSH session

1. In Type, select SSH.
2. In the Host field, type the IP address of the SSH host. For example: 11.101.12
3. Select Go.
   • login window opens.
4. Select Connect.
   • SSH session starts and you are prompted to log in to the remote host. You must have a user account to log in. After you log in, you may enter any series of valid commands at the system prompt.
5. To end the session, select Disconnect (or type exit) and then close the SSH connection window.

To start an RDP session

1. In Type, select RDP.
2. In the Host field, type the IP address of the RDP host. For example: 11.101.12
3. Optionally, you can specify additional options for RDP by adding them to the Host field following the host address. See Using the Quick Connection Tool on page 50 for information about the available options. For example, to use a French language keyboard layout you would add the -m parameter:

10.11.101.12 -m fr

4. Select Go.

A login window opens.

5. When you see a screen configuration dialog, click OK.

The screen configuration dialog does not appear if you specified the screen resolution with the host address.

6. When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in.
7. Select Login.

If you need to send Ctrl-Alt-Delete in your session, use Ctrl-Alt-End.

8. To end the RDP session, Log out of Windows or select Cancel from the Logon window.

To start a VNC session

1. In Type, select VNC.
2. In the Host field, type the IP address of the VNC host. For example: 11.101.12
3. Select Go.

A login window opens.

4. Type your user name and password when prompted to log in to the remote host. You must have a user account on the remote host to log in.
5. Select OK.

If you need to send Ctrl-Alt-Delete in your session, press F8, then select Send Ctrl-Alt-Delete from the pop-up menu.

6. To end the VNC session, close the VNC window.

Using the SSL VPN virtual desktop

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform	Model
FortiGate	80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C
FortiGate-Rugged	90D
FortiWiFi	92D

Using the SSL VPN virtual desktop

The virtual desktop feature is available for Windows only. When you start an SSL VPN session, the virtual desktop replaces your normal desktop. When the virtual desktop exits, your regular desktop is restored. Virtual desktop information is encrypted so that no information from it remains available after your session ends.

To use the SSL VPN virtual desktop, simply log in to an SSL VPN that requires the use of the virtual desktop. Wait for the virtual desktop to initialize and replace your desktop with the SSL VPN desktop, which has a Fortinet SSL VPN logo as wallpaper. Your web browser will open to the web portal page.

You can use the virtual desktop just as you use your regular desktop, subject to the limitations that virtual desktop application control imposes. If it is enabled in the web portal virtual desktop settings, you can switch between the virtual desktop and your regular desktop. Right-click the SSL VPN Virtual Desktop icon in the taskbar and select Switch Desktop.

To see the web portal virtual desktop settings, right-click the SSL VPN Virtual Desktop icon in the taskbar and select Virtual Desktop Option.

When you have finished working with the virtual desktop, right-click the SSL VPN Virtual Desktop icon in the taskbar and select Exit. Select Yes to confirm. The virtual desktop closes and your regular desktop is restored.

Using FortiClient

Remote users can use FortiClient Endpoint Security to initiate an SSL VPN tunnel to connect to the internal network. FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 10443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. the FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.

For information on configuring the FortiGate unit for SSL VPN connectivity, see Basic configuration on page 17.

For details on configuring FortiClient for SSL VPN connections, see the FortiClient documentation.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!