4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path

FORTICLIENT / FORTICLIENT 5.4 / FORTIGATE / FORTIOS 5.4 / FORTIOS 5.4.0 / FORTIOS 5.4.1 / FORTIOS
5.4.2 / FORTIOS 5.4.3 / VPNS

SSL VPN using web and tunnel mode
Posted on December 23, 2015 by Victoria Martin

Share this post:

In this example, you will allow remote users to access the corporate network using an SSL VPN,
connecting either by web mode using a web browser or tunnel mode using FortiClient. This allows
users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this
example.

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 1/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

For users connecting via tunnel mode, traf៛�c to the Internet will also ៟�ow through the FortiGate, to
apply security scanning to this traf៛�c.

During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software
is installed and up-to-date.

 Watch the video

Find this recipe for other FortiOS versions

5.2 | 5.4 | 5.6

1. Creating a user and a user group

Go to User & Device User Deៜ�nition. Create a local user account for a SSL
VPN user.

Go to User & Device > User Groups. Create a user group for SSL VPN users
and add the new user account.

2. Creating an SSL VPN portal for remote users

Go to VPN > SSL-VPN Portals. Edit the full-access portal. The full-access
portal allows the use of tunnel mode and/or web mode.

Make sure Enable Split Tunneling is not selected, so that all Internet traf៛�c
will go through the FortiGate.*

Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 2/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

Under Predeៜ�ned Bookmarks, select create new to add a new bookmark.

Bookmarks are used as links to internal network resources.

In the example, a bookmark is added to connect to a FortiGate being used

as an ISFW, which can be accessed at https://192.168.200.111.

3. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1.

To avoid port con៟�icts, set Listen on Port to 10443. Set Restrict Access to
Allow access from any host.

In the example, the Fortinet_Factory certi៛�cate is used as the Server

Certiៜ�cate. It is, however, recommended that you purchase a certi៛�cate for
your domain and upload it for use with an SSL VPN.

Under Tunnel Mode Client Settings, set IP Ranges to use the default IP
range SSLVPN_TUNNEL-ADDR1.

Under Authentication/Portal Mapping, add the SSL VPN user group and
map it to the full-access portal.

If necessary, map a portal for All Other Users/Groups.

4. Adding an address for the local network

Go to Policy & Objects > Addresses.

Add the address for the local network. Set Type to IP/Netmark, Subnet/IP

Range to the local subnet, and Interface to an internal port.

5. Adding security policies for access to the internal
network and Internet

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 3/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

Go to Policy & Objects > IPv4 Policy. Add a security policy allowing access
to the internal network through the VPN tunnel interface. Set a policy name
that will identify what this policy is used for (in the example, SSL-VPN-
internal)

Set Incoming Interface to ssl.root and Outgoing Interface to the local

network interface. Select Source and set Address to all and Source User to
the SSL-VPN user group. Set Destination Address to the local network
address, Service to ALL, and enable NAT.

Con៛�gure any remaining ៛�rewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root, Outgoing Interface is

set to wan1, and Destination is set to all.

6. Setting the FortiGate unit to verify users have current
AntiVirus software

Go to the Dashboard. In the CLI Console widget, enter the following commands to enable the host
to check for compliant AntiVirus software on the remote user’s computer:

config vpn ssl web portal 
  edit full‐access 
    set host‐check av 
  end 

7. Results

The steps for connecting to the SSL VPN different depending on whether you are using a web

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 4/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

browser or FortiClient.

Web browsers:
Using a supported Internet browser, connect to the SSL VPN web portal
using the remote gateway con៛�gured in the SSL VPN settings (in the
example, 172.20.121.46:10443)

Use the SSL VPN user’s credentials to authenticate.

The web portal appears.

In this example, selecting the ISFW Bookmark allows you to connect to the
ISFW FortiGate.

To connect to the Internet, select Quick Connection. Select HTTP/HTTPS,

then enter the URL and select Launch.

The website will launch.

You can also use the Quick Connection for other allowed types of traf៛�c,
such as SSH.

An SSH connection will open in your browser, connecting to the requested

Host.

Java is required for an SSH connection.

On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected

to the VPN.

FortiClient:
http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 5/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

If you have not done so already, download FortiClient from

www.forticlient.com.

Open the FortiClient Console and go to Remote Access. Add a new

connection.

Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening
FortiGate interface (in the example, 172.20.121.46). Select Customize Port
and set it to 10443.

Select Add.

Connect to the VPN using the SSL VPN user’s credentials.

You are able to connect to the VPN tunnel.

On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected

to the VPN.

About   Latest Posts

Victoria Martin
Technical Writer & Head Cookbook Chef at Fortinet

Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
graduated with a Bachelor's degree from Mount Allison University, after which she
attended Humber College's book publishing program, followed by the more practical
technical writing program at Algonquin College. She does need glasses but also likes
wearing them, since glasses make you look smarter.

Was this helpful?  Yes      No

 FortiClient, SSL VPN

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 6/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

Leave a Reply

27 Comments on "SSL VPN using web and tunnel mode"

Connect with:

Powered by OneAll Social Login

Notify of new follow-up comments Email ›

Join the discussion

Nishit Patel

I upgraded from 5.2.10 to 5.4.4. Whe ssl-vpn con៛�gured in web mode and tunnel
mode. We use ៛�refox to connect to work network. But when we login, we don’t see
tunnel mode and also don’t see connect button?

 REPLY  April 10, 2017 11:42 am

Whitney Lo

how can I add security policies for access to the Internet if I am using wan load
balancing. I cannot ៛�nd wan1 or wan 2 or wan load balance on outgoing interface

 REPLY  April 10, 2017 6:46 am

Michael P. Gray

I must be missing something. I followed this recipe with minor changes for IP
information. I can authenticate when making the VPN connection. I can check the
logs and see the connected client. The client gets a proper address in the subnet
that I identi៛�ed, and gets the DNS entries that I speci៛�ed but no gateway. The
client cannot access anything in the internal LAN. What am I missing?

 REPLY  February 21, 2017 3:28 pm 

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 7/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

Keith Leroux

Hi Michael–shot in the dark, but did you add the user group to the sslvpn-
>internal policy?

 REPLY  February 21, 2017 3:55 pm 

Michael P. Gray

Yes. My policy looks identical to that of step 5 above with the

exception of the icon for the LAN on the outgoing interface. It has
the two green intersecting arrowed lines.

 REPLY  February 21, 2017 5:23 pm 

Michael P. Gray

I (thanks to the Fortinet support) found the issue to be the

machine I was using to test. I grabbed another laptop and it
worked. I reformatted the original laptop and it now works on
that as well.

 REPLY  February 22, 2017 2:10 pm 

Keith Leroux

Fantastic! Thanks for following up with us.

 REPLY  February 22, 2017 2:42 pm

iacopo

Hello.
Is 10443 port a must if you want to change from default port (443)? I would like to
change to a different port than 443 or 10443 but it seems it’s not working, am I
missing something?
http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 8/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

Thanks!

 REPLY  February 17, 2017 5:16 am 

Victoria Martin

Hello,

Port 10443 is an unassigned port, which is why it was used for the VPN. Any
other unassigned port can also be used without causing con៟�ict.

If you are having trouble using a different port, doublecheck that you are
using the correct port number in your URL (if you are using web mode) or
FortiClient (for tunnel mode). If after checking this you still have trouble, I
would recommend contacting Fortinet Support.

 REPLY  February 17, 2017 11:59 am

Bob Sauvage

If the subnet from the client is the same that one from the Enterprise network,
what to do ?

 REPLY  February 7, 2017 2:48 am 

Keith Leroux

Hello Bob,

In the case of overlapping subnets, you will have to use VIPs. Here’s a
knowledge base article that should help you out:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD35117

 REPLY  February 7, 2017 10:35 am

Henry

Hello, I have Con៛�g WAN-load-blancing, I can’t select wan-load-balancing.

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 9/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

 REPLY  February 5, 2017 8:56 pm 

Henry

Hello

If I want select wan-load-balancing in a policy, what to do ?

Thanks an Regards.

 REPLY  February 14, 2017 6:08 pm 

paradoxxxical

i’m not sure why Henry’s question was ignored, but it’s valid as the
SSL-VPN-Internet in step 5, cannot be created with WAN LLB setup.
It allows you to select the speci៛�c lan for the SSL-VPN-Internal, but
not for the Internet. I created a route instead, but experiencing
similar issues to Michael P. Gray.

 REPLY  February 28, 2017 8:58 am 

Victoria Martin

For this issue, I would recommend contacting Fortinet Support.

 REPLY  March 1, 2017 10:33 am

Limbad Sagar

Dear Sir/Madam
I have Con៛�g SSL_VPN using Forticlient, It’s working good and another function is
Mac Address bind it’s Possible in our Fortigate Firewall but our issues is Static Ip
bind it’s Possible that mean user connect to forticlient with fortigate ៛�rewall also
assign one Local_Ip (SSL_VPN_Range).So Please Inform me, It’s Possible
Forticlient Side Static_Ip bind in Our ៛�rewall ?

 REPLY  February 3, 2017 12:48 am

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 10/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

Landy.Wang

Very Simple To Understand，Thank You Verry Much，I Love Fortigate。

 REPLY  January 11, 2017 7:58 pm

Limbad Sagar

Dear Mam,

we are using Fortinet 100D and have 2 internet connection and using Port
Forwarding our Fortinet Firewall , both are Internet connection port Forwarding
but some time internet connection down that time i lost connection. any another
idea failover root in port forwarding.

 REPLY  January 9, 2017 5:08 am

Limbad Sagar

Thank you, Mam

but mam VLAN Con៛�guration in my Firewall Fortinet 100D that’s its possible in SSL
VPN in my Fortinet Firewall 100D.

 REPLY  December 22, 2016 12:15 am 

Victoria Martin

Hello Limbad,

I’m not quite sure I understand your question. This recipe was written
using a FortiGate 100D, so its set up should be similar to yours.

 REPLY  December 22, 2016 12:03 pm

Ngô Đức Trọng

how about enable UTF-8 in web access?

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 11/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

 REPLY  June 29, 2016 3:07 am 

Adam Bristow

Hello,

There was a way to enable UTF-8, however this has since been replaced
with speci៛�c language options. This is con៛�gured in the CLI. Open the CLI
Console and enter the following:

con៛�g vpn ssl web portal

edit
set custom-lang ?

This will show you a list of available character-sets/languages to choose

from, inlcuding:

– GB2312: Simpli៛�ed Chinese

– big5: Traditional Chinese
– en: English (Caribbean)
– euc-kr: Korean, using the Wxtended Unix Code (EUC)
– fr: French
– pg: Portuguese
– sp: Spanish
– x-sjis: Japanese (using the Shift Japanese Industrial Standards (SJIS).

I hope this helps!

Adam

 REPLY  December 22, 2016 12:33 pm

David

I think we don’t have to enable NAT on the the policy ssl.root to LAN.

 REPLY  June 28, 2016 1:01 pm 

Adam Bristow

Hello David,

Theoretically it is not necessary to enable NAT for this speci៛�c policy,

however it’s better to enable NAT in order to avoid similar subnets from

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 12/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

connecting to one another. This is important if you have speci៛�c policies

running in your subnet.

I hope this helps!

Regards,

Adam

 REPLY  December 22, 2016 1:08 pm

Santosh Sharma

there should be one option as PDF so that we can download it as PDF

 REPLY  January 25, 2016 8:02 am 

Victoria Martin

Hello Santosh,

We plan to add PDFs for each recipe soon.

 REPLY  January 25, 2016 9:50 am 

Santosh Sharma

Hi thanks Martin for your revert

There is no document on inter vdom routing. Please update one

document on this also

 REPLY  January 25, 2016 10:26 am

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 13/14
4/16/2017 SSL VPN using web and tunnel mode ­ Fortinet Cookbook

CONTACT |  DOCUMENTATION LIBRARY |  CLI PORTAL  |  FUSE |  VIDEOS |  SUPPORT |  CORPORATE |  LEGAL

© 2017 Fortinet

http://cookbook.fortinet.com/ssl­vpn­using­web­and­tunnel­mode­54/ 14/14