Skip to main content
Contributor
June 18, 2008
Question

ssl.root interface

  • June 18, 2008
  • 2 replies
  • 7804 views
I am using the version 3 MR 6 on a Fortigate 200 A and am trying to setup ssl VPN. From reading the document for MR6, they mention a new interface ssl.root. Do I need to configure the firewall policies for ssl.root to get SSL VPN working.

    2 replies

    rwpatterson
    New Member
    June 18, 2008
    Yes you do. The flow is as follows: Policy from outside to ssl.root policy from ssl.root to inside entity static route back to ssl.root for SSL user group IP range Good luck
    Contributor
    June 18, 2008
    I have followed the above document for SSL VPN for setting the interfaces for ssl.root to get SSL VPN working but it does not work. When I browse to https://<fortigate IP>:10443/remote , I get page cannot be displayed. The wan 1 interface is 217.154.171.2 , the internal subnet is 172.16.0.0/21 and the SSL IP Range is 172.16.1.[240 -254]. I have enabled SSL VPN through VPN, SSL. Set the Tunnel IP Range. Set the certificate to self signed. Set the local user accounts. Set the user group and enabled for SSL_VPN Tunnel service. Added the local user account to the the user group. I created the following firewall policies: internal > ssl.root internal subnet > SSL IP Range ssl.root > internal SSL_IP_Range > all ssl.root > wan1 ssl_IP_Range > all wan1 > internal All > internal Subnet Action: SSL_VPN Allowed: User Group Also tried with and with out the below policy: wan1 > internal SSL_IP > internal Subnet Action:SSL_VPN When we browse to https://<fortigate IP>:10443/remote we get page cannot be displayed. We have tried for 2/3 weeks to get this solved but we have had no luck. Are you please able to help.
    Contributor
    June 18, 2008
    I forgot to mention that I have setup the static route as well for destination network is internal subnet and destination interface is ssl.root
    laf
    New Member
    June 20, 2008
    Did you tried to look for 10443 on the equipment ? Use this: diag sniffer packet interface you want to sniff " tcp port 10443" Tell us what you found.