Staff

Technical Tip: Binding SSL VPN user/group to public IP address

Forum|Forum|6 years ago
May 2, 2020
0 replies
11998 views

Description

This article describes how to bind SSL VPN users/groups to specific IP addresses for security and authentication.

Scope

FortiGate.

Solution

Network diagram.

Scenario 1.
User1 and User2 with public_IP_1.

User1 of User1Group1 from PC1 with Public_IP_1 can connect to ssl_vpn.
User2 of User2group2 from PC2 with Public_IP_1 cannot connect to ssl_vpn.

Scenario 2.
User1 and User2 with Public_IP_2.

User1 of User1Group1 from PC1 with Public_IP_2 cannot connect to ssl_vpn.
User2 of User2group2 from PC2 with Public_IP_2 can connect to ssl_vpn.

Users and usergroups configuration.

In this example the usergroup is local.

Go to User & Device -> User.
Configure User1Group1 with user ‘User1’.
Configure User2Group2 with user ‘User2’.

Firewall addresses configuration.
Create an SSL VPN portal.

Go to VPN -> SSL -> Portals.
Configure portals 'full-access-1'.

Configure SSL VPN connection settings.

Go to VPN -> SSL -> Settings.
Select the listen external interface, listen port.
Restrict the access to SSL VPN to the public IP previously defined ( Public_IP_1, Public_IP_2).
Associate user/group to SSL VPN Portals.

Note:
So far the address groups have been associated with the portal, but there is not an exclusive restriction yet by the public IP: user1 can access from both ‘ Public_IP_1 'and ‘ Public_IP_2 '.

Following CLI only config on autherntication-rule under VPN SSL setting provide the behavior request.

Go to CLI via SSH and specify source-int (port3 only in this case) and source-address per authentication rule.

config vpn ssl settings
config authentication-rule
edit 1
set source-interface "port3"
set source-address " Public_IP_1 "
set groups " User1Group1"
set portal "full-access-1"
next
edit 2
set source-interface "port3"
set source-address " Public_IP_2"
set groups " User2Group2"
set portal "full-access-1"
next
end
end