Skip to main content
Benny_Lyne_Amorsen
Benny_Lyne_Amorsen
New Member
May 7, 2020
Question

FortiClient SSL VPN and selective split tunnelling

  • May 7, 2020
  • 1 reply
  • 15381 views

I am wondering how to achieve the following setup, which is really easy with IPSEC. For various unfortunate reasons it has to be done with SSL-VPN instead.

 

Client is FortiClient on various platforms, centrally managed by EMS (but I do not think EMS makes a difference here).

Clients get access to two tunnels. One tunnel is configured for split tunnelling, to allow the users to access their local printers and other local services, and the other is configured for full tunnelling, sending all traffic through the Fortigate.

People pick the appropriate tunnel in the FortiClient interface.

There are two portals set up, one is "full", the other is "split", and they are configured the same except "full" has split-tunneling set to disable.

 

I cannot figure out how to let the users pick the right SSL VPN portal in FortiClient. In IPSEC-VPN it is done by setting local-ID in the client and matching on that in the VPN gateway, but there does not appear to be anything like that in SSL VPN. I can set it up (config authentication rule) so that certain users get the "full" portal and the others get the "split" portal, but the whole point is to allow users to switch as required.

 

Is this a highly unusual requirement? What do you do?

    1 reply

    Markus
    Markus
    New Member
    May 8, 2020

    Hi I think the easyiest way to achive this in SSL VPN, is to use Realms. https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/724772/ssl-vpn-multi-realm

    Benny_Lyne_Amorsen
    Benny_Lyne_AmorsenAuthor
    New Member
    May 11, 2020

    I read the realm documentation, and it is quite possible that I am being obtuse.

     

    However, from my reading, every user can belong to precisely one realm. That is not helpful for me, unfortunately. I am trying to let the user make the decision about which realm to join, when they start the FortiClient SSL VPN connection.

     

    I accomplish that with IPSEC VPN by providing two separate tunnels that the user can choose between in FortiClient. Each tunnel has a specific local ID which I can match in the Fortigate VPN configuration. I can provide multiple SSL tunnels in the FortiClient as well, but the Fortigate has no way to distinguish between which one the user picked.

    Terms & ConditionsAccessibility statement