Skip to main content
burger87
burger87
New Member
November 17, 2017
Question

SSLVPN for multiple user groups

  • November 17, 2017
  • 2 replies
  • 15976 views

Hi guys,

 

I'm currently configuring a Fortigate VM with evaluation license on FortiOS 5.4.4, so I can't log a ticket. I have the following SSLVPN requirements.

 

1) Total of 3 user groups

2) Each user groups are restricted to establish SSLVPN from different set of public IPs with different access permission. Eg:

- Group A can only connect SSLVPN from source IP 1.1.1.1 with full access.

- Group B can only connect SSLVPN from source IP 2.2.2.2 with web mode access only.

- Group C can only connect SSLVPN from source IP 3.3.3.3 with tunnel mode access only.

3) Enable split tunneling so remote users can still access internet via their own gateway.

 

I'm currently using this guide as a reference. However, I can't seem to get past Step 5(creating firewall policies for SSLVPN). I can configure a policy for SSL > LAN with source IP as per mentioned above, but only 1 policy and nothing more. Trying to create a second SSLVPN policy just prompts me with a "Some changes failed to save" error.

 

My first SSLVPN policy is this:

        set name "Group A SSLVPN"         set srcintf "ssl.root"         set dstintf "LAN"         set srcaddr "GrpA_Public"         set dstaddr "LAN_IP"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set groups "GroupA"         set ips-sensor "all_default"         set nat enable

 

I can't create a SSL > WAN as defined in the guide since I'm using split tunneling(cannot set destination address as "all"), nor am I able to create another SSL > LAN for Group B. Any idea what is wrong?

    2 replies

    emnoc
    emnoc
    New Member
    November 17, 2017

    - Group A can only connect SSLVPN from source IP 1.1.1.1 with full access. - Group B can only connect SSLVPN from source IP 2.2.2.2 with web mode access only. - Group C can only connect SSLVPN from source IP 3.3.3.3 with tunnel mode access only.

     

     

    Can you explain source address? Typical the SSLVPN client comes from any src so we control it ( user ) by user and authgroup.

     

    Have you also looked at realm? This will allow you to set  various realm and you can tie  the  web  portal per  realm.

     

     

    Ken

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 17, 2017

    I don't think you can specify the source-address(es) per authentication-rule for separate user-groups. It's per system or per vdom. You can only list all three together once you defined them under "config firewall addresse" and/or "config firewall addrgrp". You would understand this when you get in CLI and go to "config vpn ssl settings" then type "show full" or "get".

    emnoc
    emnoc
    New Member
    November 17, 2017

    I don't think you can specify the source-address(es) per authentication-rule for separate user-groups.

     

    Again you need  cli-cmd and ssl vpn settings  here's a blog on  SSLVPN realm I did. It was mainly due to my client need  multiple portals based on numeours  uses that spoke  multi-linguas

     

    http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

     

    burger87
    burger87Author
    New Member
    November 17, 2017

    Hi Emnoc, thanks for your response. For example, Office A's public IP is 1.1.1.1, and the users in Office A belongs to Group A. So I would restrict Group A's users to be able to SSLVPN from 1.1.1.1 only.

    If any users in Group A goes to Office B with public IP of 2.2.2.2 and tries to SSLVPN, it would be denied.

     

    How do I go about configuring realms? I don't see this option in 5.4.4. Able to point me to some guides?

    Terms & ConditionsAccessibility statement