Technical Note: SSL VPN web access configuration change in FortiOS v5.2.x
Description
Scope
Solution
The design in configuring SSL VPN changed in 5.2 from 5.0. Previously in 5.0 the policies for web-mode and tunnel-mode were separately defined.
In 5.2 there is only one policy needed, which is from ssl.root to internal port.
In 5.2 there is only one policy needed, which is from ssl.root to internal port.
Scope
All FortiGates.
Solution
In order to make the SSL VPN web-mode accessible it is necessary to have the user group defined in this policy, otherwise the access to SSL VPN page will not work.
Non working configuration
Non working configuration
# config firewall policyWorking configuration
edit 1
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "lan"
set action accept
set schedule "always"
set service "ALL"
# config firewall policy
edit 1
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "lan"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL_VPN_users"