Description
Solution
This article explains how to create different SSL VPN access portal and filter access by Client public IP and usergroup/user at the same time on 5.2.
On 5.0 it was possible to filter by specific couple of usergroup (or user) and public IP allowing access to a particular SSL VPN web portal only using the identity policy based concept.
All other combination of usergroup and public IP could not access to that specific SSL VPN web portal.
On 5.2 identity policy based is not anymore available and the way to configure the SSLVPN has drastically changed.
On 5.0 it was possible to filter by specific couple of usergroup (or user) and public IP allowing access to a particular SSL VPN web portal only using the identity policy based concept.
All other combination of usergroup and public IP could not access to that specific SSL VPN web portal.
On 5.2 identity policy based is not anymore available and the way to configure the SSLVPN has drastically changed.
Solution
For the following example a configuration template will be explained:
All the other combination are not allowed:
Network Diagram
Configuration Steps
Note that almost all the steps indicated, unless specified, can be done via WebGUI and CLI, but only WebGUI is shown.
Step 1 Users and usergroups configuration
In this example the usergroup is local, but it could have been also LDAP or RADIUS.
- Go to User & Device > User
- Configure usergroup ‘ssl-vpnGroup1’ with user ‘user1’
- Configure usergroup ‘ssl-vpnGroup2’ with user ‘user2’ in similar way
Step 2 Firewall Addresses configuration
NOTE possible to user external interface or any for the following addresses.
- Go to Policy & Objects > Objects > Address
- Configure firewall address with public IP ‘Pub_Source_IP_1’ and ‘Pub_Source_IP_2’
- Configure firewall address range ‘SSLVPN_TUNNEL_ADDR1’ and ‘SSLVPN_TUNNEL_ADDR2’
Step 3 Create Dedicated SSL-VPN Portal
Both portals have Tunnel Mode enabled and Split Tunneling disabled, but it is not mandatory for the purpose of the template.
- Go to VPN > SSL > Portals
- Configure portals ‘full-access-1’ and ‘full-access-2’ assigning respectively ‘SSLVPN_TUNNEL_ADDR1’ and ‘SSLVPN_TUNNEL_ADDR2’ as IP Pools for Tunnel Mode
Step 4 Configure SSLVPN Connection Settings
NOTE this is the mainly part on which is possible to assign user/usergroup, addresses, address ranges to specific web SSL-VPN Portals and for the purpose of this article it requires also an CLI ‘only’ configuration
- Go to VPN > SSL > Settings
- Select the listen external interface (port1 in this case), listen port (10443)
- Restrict the access to SSLVPN to the public IP previously defined (‘Pub_Source_IP_1’ and ‘Pub_Source_IP_2’)
- Specify the IP Ranges to give to Clients for the TunnelMode (‘SSLVPN_TUNNEL_ADDR1’ and ‘SSLVPN_TUNNEL_ADDR2’)
- Associate User/Group to SSLVPM Portals
NOTE so far the addressgroups have been associated to the portal, but there is not an exclusive restriction yet by the publicIP: user1 can access from both ‘Pub_Source_IP_1’ and ‘Pub_Source_IP_1’ .
Following CLI only config on autherntication-rule under vpn ssl setting provide the behavior request
- Go to CLI via ssh and specify source-int (port1 only in this case) and source-address per authentication rule
config vpn ssl settings
config authentication-rule
edit 1
set source-interface "port1"
set source-address "Pub_Source_IP_1"
set groups "ssl-vpnGroup1"
set portal "full-access-1"
next
edit 2
set source-interface "port1"
set source-address "Pub_Source_IP_2"
set groups "ssl-vpnGroup2"
set portal "full-access-2"
next
end
end
Step 5 Configure Policy to active SSLVPN and allow access to researches
NOTE specific usergroup must be set on both kind of policy.
- Go to Policy & Objects-> Policy -> IPv4
- Configure firewall policies from ssl.root interface to the listening one (port1 in this case) to activate the SSLVPN portal for user/usergroup specified in source user list
- Configure firewall policies from ssl.root interface to the internal network (port2 in this case) to allow access to internal resources (possible to restric access to destinationIP ans services as norma policy)
Test 1 Try to login from PC1 with user1 and user2
Test 2 Try to login from PC2 with user1 and user2
- User1 of usergroup1 from PC1 with pubIP1 can connect to ssl_vpn_web_portal_1 only.
- User2 of usergroup2 from PC2 with pubIP2 can connect to ssl_vpn_web_portal_2 only.
- Standalone sslvpn and FortiClient software are both working.
All the other combination are not allowed:
- User1 from pubIP2 cannot reach any ssl_vpn_web_portal
- User2 from pubIP1 cannot reach any ssl_vpn_web_portal
Network Diagram
Configuration Steps
Note that almost all the steps indicated, unless specified, can be done via WebGUI and CLI, but only WebGUI is shown.
Step 1 Users and usergroups configuration
In this example the usergroup is local, but it could have been also LDAP or RADIUS.
- Go to User & Device > User
- Configure usergroup ‘ssl-vpnGroup1’ with user ‘user1’
- Configure usergroup ‘ssl-vpnGroup2’ with user ‘user2’ in similar way
Step 2 Firewall Addresses configuration
NOTE possible to user external interface or any for the following addresses.
- Go to Policy & Objects > Objects > Address
- Configure firewall address with public IP ‘Pub_Source_IP_1’ and ‘Pub_Source_IP_2’
- Configure firewall address range ‘SSLVPN_TUNNEL_ADDR1’ and ‘SSLVPN_TUNNEL_ADDR2’
Step 3 Create Dedicated SSL-VPN Portal
Both portals have Tunnel Mode enabled and Split Tunneling disabled, but it is not mandatory for the purpose of the template.
- Go to VPN > SSL > Portals
- Configure portals ‘full-access-1’ and ‘full-access-2’ assigning respectively ‘SSLVPN_TUNNEL_ADDR1’ and ‘SSLVPN_TUNNEL_ADDR2’ as IP Pools for Tunnel Mode
Step 4 Configure SSLVPN Connection Settings
NOTE this is the mainly part on which is possible to assign user/usergroup, addresses, address ranges to specific web SSL-VPN Portals and for the purpose of this article it requires also an CLI ‘only’ configuration
- Go to VPN > SSL > Settings
- Select the listen external interface (port1 in this case), listen port (10443)
- Restrict the access to SSLVPN to the public IP previously defined (‘Pub_Source_IP_1’ and ‘Pub_Source_IP_2’)
- Specify the IP Ranges to give to Clients for the TunnelMode (‘SSLVPN_TUNNEL_ADDR1’ and ‘SSLVPN_TUNNEL_ADDR2’)
- Associate User/Group to SSLVPM Portals
Following CLI only config on autherntication-rule under vpn ssl setting provide the behavior request
- Go to CLI via ssh and specify source-int (port1 only in this case) and source-address per authentication rule
config vpn ssl settings
config authentication-rule
edit 1
set source-interface "port1"
set source-address "Pub_Source_IP_1"
set groups "ssl-vpnGroup1"
set portal "full-access-1"
next
edit 2
set source-interface "port1"
set source-address "Pub_Source_IP_2"
set groups "ssl-vpnGroup2"
set portal "full-access-2"
next
end
end
Step 5 Configure Policy to active SSLVPN and allow access to researches
NOTE specific usergroup must be set on both kind of policy.
- Go to Policy & Objects-> Policy -> IPv4
- Configure firewall policies from ssl.root interface to the listening one (port1 in this case) to activate the SSLVPN portal for user/usergroup specified in source user list
- Configure firewall policies from ssl.root interface to the internal network (port2 in this case) to allow access to internal resources (possible to restric access to destinationIP ans services as norma policy)
Test 1 Try to login from PC1 with user1 and user2
Test 2 Try to login from PC2 with user1 and user2
Related Articles
Technical Note: SSL VPN source-interface setting in authentication rule taking precedence
Technical Tip: SSL VPN with multiple links not able to login Error: Permission Denied
