Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff

Created on ‎12-04-2015 05:26 PM Edited on ‎09-03-2023 11:10 PM By Moderator

Article Id 192904

Technical Tip: How to enable SSL VPN Access for two different links

Description

 

This article describes how to enable 2 SSL VPN access using a browser through 2 or more WAN Links available on the infrastructure.

Solution

 
Via GUI configure SSL VPN Access:
 
Go to VPN -> SSL-VPN Settings.
On the field 'Listen on Interface(s)', pick two (or more) required interfaces.
 
 
Now, configure Authentication/Portal mapping:
 
 
Configuration like this will be working.
In case it is required to restrict access (Example: Guest-group will have access only when connected to wan1 interface), adjust the configuration in CLI:
 
config vpn ssl settings
    config authentication-rule
        edit 1
            set source-interface "wan1"
            set source-address "all"
            set groups "Guest-group"
            set portal "full-access"
        next
        edit 2
            set groups "SSLVPN"
            set portal "full-access"
        next
    end
end
 
Final configuration will look like this:
 
Fortigate # show vpn ssl setting
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set dns-suffix "global.local"
        set dns-server1 192.168.0.3
        set dns-server2 192.168.0.11
        set port 444
        set source-interface "port1" "wan1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "web-access"
            config authentication-rule
                edit 1
                    set source-interface "wan1"
                    set source-address "all"
                    set groups "Guest-group"
                    set portal "full-access"
                next
                edit 2
                    set groups "SSLVPN"
                    set portal "full-access"
                next
            end
end
 
Note: In order to let both connections work, they need to be both active in the routing table.
A possible solution is to use the static route with the same distance but a higher priority.
 
config router static
    edit 9
        set priority 20
        set gateway 10.100.0.1
        set device "wan1"
    next
    edit 10
        set gateway 10.10.0.1
        set device "port1"
 
Check the routing table to see if both interfaces are active.
 
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
 
Routing table for VRF=0
S* 0.0.0.0/0  [10/0] via 10.10.0.1, port1
[10/0] via 10.100.0.1, wan1, [20/0]

 

Related Articles:

Technical Tip: SSL VPN Redundancy.

Technical Tip: SSL VPN with multiple links not able to login Error: Permission Denied.

18992
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.