Skip to main content
syu
syu
New Member
October 7, 2015
Solved

Multiple Remote SSL VPN on a Fortigate unit or vdom?

  • October 7, 2015
  • 1 reply
  • 19921 views

Hi, Need suggestions.

 

I was asked to do a remote SSL VPN solution for a hub-spoke network design. Three spoke has small unit onsite and they belongs to three different sister companies. The hub has bigger fortigate as well and IPSEC tunnel to each spoke.

 

The requirements are:

1.2-factor auth for remote vpn on central HUB Firewall.

2. Each user authenticated via corresponding company AD.

3. Once user is authenticated, user has access only to the corresponding company network

4. Dedicated vpn client for user computer, no web browser based.

 

My concern part is really the item#3 above. I do not even know if fortiOS can provide the feature to assign subnet/routing dynamically based on Domain user account with a single remote SSL VPN profile. However I can image to use different remote ssl vpn profiles for different company/domain users, such as user from Company A connects to "vpn.example.com/company-a" via forticlient; user from Company B connects to "vpn.example.com/company-b" via forticlient. But how can I configure multiple remote SSL VPN profiles on a fortigate?

 

Maybe remote ipsec vpn is better for this scenario? Suggestions please.

Best answer by neonbit

I believe the SSL VPN will be able to satisfy all your requirements here.

To setup different URLs for each customer you first need to enable SSL VPN Realms which are disabled by default. Goto System > Config > Features and turn on SSL VPN Realms (remember to click Apply to save).

Next create your realms under VPN > SSL > Realms for each of your customers. In the url path enter company-a to link to vpn.example.com./company-a. Next create individual portals for each of the companies. VPN > SSL > Portals. For each of the portals enable tunnel mode and split tunneling. Select the routing addresses you want these specific users to have access to (this will populate the routing table for the users), select the IP pool, deselect Web mode.

 

Should look similar to this:

Next you need to link the usergroups with the portal with the realm. Go to VPN > SSL > Settings and create your authentication mappings at the bottom. Should look similar to this:

Next you need to create policies to control what each customer has access to. Your source should be the sslvpn+sslvpnaddress+usergroup and your destination should be the VPN interface and remote VPN subnet you want the users to have access to.

 

Should look something like this:

 

Lastly remember to add the company-a-sslpool address to your routes. For example, if I'm giving 10.1.1.0/24 addresses to my company-a ssl connections, I would create the following route on the FortiGate:

 

 

Once that's done repeat all steps (realm > portal > setting mappings > policy > route) for company-b and company-c.

 

Hope it helps!

1 reply

neonbit
neonbitAnswer
New Member
October 8, 2015

I believe the SSL VPN will be able to satisfy all your requirements here.

To setup different URLs for each customer you first need to enable SSL VPN Realms which are disabled by default. Goto System > Config > Features and turn on SSL VPN Realms (remember to click Apply to save).

Next create your realms under VPN > SSL > Realms for each of your customers. In the url path enter company-a to link to vpn.example.com./company-a. Next create individual portals for each of the companies. VPN > SSL > Portals. For each of the portals enable tunnel mode and split tunneling. Select the routing addresses you want these specific users to have access to (this will populate the routing table for the users), select the IP pool, deselect Web mode.

 

Should look similar to this:

Next you need to link the usergroups with the portal with the realm. Go to VPN > SSL > Settings and create your authentication mappings at the bottom. Should look similar to this:

Next you need to create policies to control what each customer has access to. Your source should be the sslvpn+sslvpnaddress+usergroup and your destination should be the VPN interface and remote VPN subnet you want the users to have access to.

 

Should look something like this:

 

Lastly remember to add the company-a-sslpool address to your routes. For example, if I'm giving 10.1.1.0/24 addresses to my company-a ssl connections, I would create the following route on the FortiGate:

 

 

Once that's done repeat all steps (realm > portal > setting mappings > policy > route) for company-b and company-c.

 

Hope it helps!

syu
syuAuthor
New Member
October 8, 2015

Thanks alot for the detailed explanation!

 

I thought I tried some similiar configure but client failed to login and I indeed tried that. But I tried again, the same result.

 

Within the Forticlient, it prompts me that insufficient credential.

Within web browser, it tells me permission denied...

 

Fortigate is running v5.2.4,build688 (GA)

neonbit
neonbit
New Member
October 8, 2015

First step I would recommend trying is confirming that your authentication is working as intended. 

 

If you've configured the groups via LDAP, double check the common name identifier (CNI). Depending on what you've configured here and your AD settings, the usernames for SSL will either be 'jdoe' or 'John Doe'

 

 

The best way to test this is via the CLI. Use the diag test autheserver command to test a username and password and confirm it's working as intended.

 

The command is like this:

 

diag test authserver ldap <server_name> <username> <pwd>

 

For example, if I configure my CNI as 'cn' then my username is in the format of 'John Doe'

 

fortigate # diagnose test authserver ldap ad "John Doe" m4hpassword authenticate 'John Doe' against 'ad' succeeded! Group membership(s) - CN=SSL Users,OU=Groups,DC=example,DC=com

If I configure my CNI as 'sAMAccountName' then my username is in the format of 'jdoe'

 

fortigate # diagnose test authserver ldap ad jdoe m4hpassword authenticate 'jdoe' against 'ad' succeeded! Group membership(s) - CN=SSL Users,OU=Groups,DC=example,DC=com

 

If you're using RADIUS for authentication instead of LDAP then the command changes slightly:

 

fortigate # diagnose test authserver radius authenticator pap jdoe m4hpassword authenticate 'jdoe' against 'pap' succeeded, server=primary assigned_rad_session_id=549322410 assigned_admin_profile=SSL Users session_timeout=0 secs! Group membership(s) - SSL Users

If your authentication test is successful then the problem may lie elsewhere. If it's not working here then it's worth double checking your authentication server settings, credentials and firewall>authentication server connectivity.

Terms & ConditionsAccessibility statement