Configuring SSL VPN for secure web-based access to the internal network

• All FortiGate units
• FortiOS 3.0

SSL VPN is a secure remote access solution that requires very little configuration on the client end. There are two modes for SSL VPN.

• Web Mode provides remote users with a secure web portal, through which they can access only specific resources on the internal network behind the FortiGate unit. These resources can be network shares, http or https web servers, ftp servers or even Remote Desktop and VNC applications.
• Tunnel Mode goes a step further and assigns remote users a private IP. With this private IP, remote users have direct access to resources on the internal network behind the FortiGate unit, instead of through the portal provided by Web Mode.

Remote users (also called clients) are required to have the following configuration:

• Windows 2000, XP, 2003 or Vista (currently, Vista supports Web Mode only)
• Internet Explorer 6.0 (or later), or Mozilla Foundation/ Firefox 1.2 (or later).

To configure the SSL VPN service using the web-based manager

1. Go to VPN > SSL.
2. Select Enable SSL-VPN.
3. Configure Tunnel IP Range with a range of IP addresses that can be used for Tunnel Mode connections. Select a range of private IP addresses that are reserved for SSL VPN users and are not in use on your internal network.
4. Under Advanced, define any internal DNS or WINS servers present in your network, so that your remotely connected users can resolve internal DNS addresses.
5. Select OK.

To configure an SSL VPN user group

1. Go to User > Local.
2. Select Create New.
3. Add a user name and password for this new local user account.
4. Select OK.
5. Go to User > Group.
6. Select Create New.
7. Add a name for the new user group (for example, SSL_VPN_Access).
8. Set Type to SSL VPN.
9. Select the local user that you just added in the list on the left and select the right arrow to add that user to this group.
   Repeat this process to add more local users to the SSL_VPN_Access user group.
10. Select the blue arrow next to SSL-VPN User Group Options.
11. Select Enable SSL VPN Tunnel Service, Enable Web Application, HTTP/HTTPS Proxy, Telnet, VNC, FTP, SMB/CIFS and RDP.

    These options control the services that SSL VPN users have access to. Depending on your requirements, you might want to disable access to some of these services.

12. Leave Host check disabled for now. For a description of this feature and how to use it, see the FortiGate SSL VPN User Guide.
13. Select OK.

Note: To control access to your SSL VPN network, your users must log in with a username and password as defined in your FortiGate unit User configuration. This example shows how to add local users to your FortiGate unit configuration. You can also configure SSL VPN to work with your LDAP or RADIUS servers.

To add an SSL VPN firewall policy

1. Go to Firewall > Policy.
2. Select Create New.
3. Set the Source Interface to the interface that connects your FortiGate unit to the Internet (usually external or WAN1).
4. Set the Source Address to all.
5. Set the Destination Interface to the interface connected to your internal network.
6. Set the Destination Address to all.
7. Set the action to SSL-VPN.
8. Select the user group that you just added in the list on the left and select the right arrow to add that user group to this policy.
9. Select OK.

With this configuration, users can access your FortiGate unit SSL VPN page from outside of your internal network (from the Internet). To access the SSL VPN page users start a web browser and browse to your FortiGate unit public IP address. They must also specify a unique port number in their browser address field. For example, if the public IP address of your FortiGate unit is 210.55.55.1 your users would browse to https://210.55.55.1:10443.

Once connected, the user must login. The user information provided must match a user in the group defined above.

After a successful login, the FortiGate Web mode access portal appears.Users can define a new bookmark for access to an internal FTP server, web server or remotely control a PC on the network using the Remote Desktop Protocol or VNC if available.

Note: As of Maintenance Release 5 (MR5), a new option in the GUI allows administrators to configure predefined bookmarks for SSL VPN web mode access. Go to VPN > SSL > Bookmarks.

To initiate tunnel mode, the user selects the activate SSL VPN tunnel mode link at the top of the web page. On first viewing, the user may be required to install either an ActiveX, (Internet Explorer) or Java, (Firefox) component. This process installs a new dialup network connection on the user's PC to secure this user’s connection to your internal network.

Once tunnel mode is established, the status window on this page shows duration of the connection. The user can minimize this browser window and work as though they were connected directly to the internal network.

Note: Access at this point requires either that users know the IP addresses of internal servers, or that your DNS server is configured to resolve internal machine names, also called netbios names, of those servers.

To close this connection, the user can either select Disconnect in the open web browser, or close the browser.

For more information about SSL VPN and about advanced SSL VPN options, see the SSL VPN User Guide.