| Description | This article explains the complete configuration required for SSL VPN split tunneling to work. |
| Scope | FortiGate. |
| Solution |
The setup will involve the following configurations:
Note: Central SNAT policy for the SSL VPN interface, as the incoming interface is not required, as this is a split-tunnel configuration.
Step 1: SSL VPN settings and portal configuration:
The example below exhibits the enablement of SSL VPN under VPN -> SSL VPN Settings.
TCP port 8443 is the listening port, and Port1 is the internet-facing interface.
Split tunnel is enabled to match Policy destinations.
Step 2:
Note: Ensure to specify the specific subnet and do not specify 'ALL'.
Step 3: SSL Inspection and Authentication policy
This step is important because only after this configuration will the Internet-facing interface (port1) allow traffic on the defined SSL VPN port (TCP 8443).
Before configuring this policy, the local in policy will not show the SSL VPN port (in this example: TCP 8443) as an accepted parameter, as per below:
After configuring and enabling the SSL Inspection and Authentication policy:
Note: Another criteria to take note is that the 'SSL Inspection and Authentication' policy should also be defined with the specific subnet as destination, specifying 'ALL' as the destination will push the default route 0.0.0.0/0 to the user machine via FortiClient after connection and as a result SSL VPN user internet traffic will be sent to the FortiGate and split tunneling will not take effect.
|
