| Description |
This article describes the expected behavior that when SSL VPN portals are set to allow tunnel mode access only and not web mode access, users will still receive the SSL VPN login web page when accessing url https://<FortiGate-ip>:<ssl-vpn-port-number> in the browser.
This article describes how to prevent the SSL VPN web portal from being displayed to users when SSL VPN web mode is disabled. |
| Scope |
FortiGate. |
| Solution |
Migration Note: SSL VPN tunnel mode is removed in FortiOS v7.6.3 and later. Migration to dialup IPsec VPN for remote access is recommended. See Introduction
Some FortiGate models have SSL VPN tunnel and web mode removed in certain firmware versions. For example, F series models with 2GB of memory have SSL VPN removed in v7.6.0. See this KB article Technical Tip: SSL VPN support on FortiGate models for more information.
Disabling SSL VPN web mode: Disabling SSL VPN web mode per portal is possible, but it does not disable the login page in the browser.
config vpn ssl web portal edit <portal name> set web-mode disable <----- Unset web-mode. next end
Even after disabling SSL VPN web mode from the desired SSL VPN portal, users still receive the SSL VPN web portal login page by default. This can be disabled with the following methods.
Method 1: Disable SSL VPN web mode globally (v7.4.2 and above): If SSL VPN web mode was already disabled on all portals, SSL VPN web mode can then be disabled globally with
config system global set sslvpn-web-mode disable end
When running FortiOS v7.4.2 or above, this is the recommended method to disable the web mode login page. Refer to the article Technical Tip: How to disable SSL VPN web-mode globally
This issue is resolved in FortiClient macOS v7.0.12, v7.2.4, and v7.4.0. The workaround is to use one of the other methods to disable SSL VPN web mode page below, or use the external browser for SAML login on FortiClient: Use a browser as an external user-agent for SAML authentication in an SSL VPN connection.
Method 2: FortiGate GUI ( v7.4.1 and below):
Remove the HTML <body> section of the SSL VPN login page replacement message by following the steps below:
On the FortiGate GUI, navigate to System -> Replacement Messages -> SSL-VPN section.
Select to edit 'SSL-VPN Login Portal'.
In the text/HTML format, select the body part, delete it, and save the configuration.
Note: Remove the %%SSL_HIDDEN%% from the HTML body. Afterward, make sure the HTML code looks like the following: <!DOCTYPE html> <html lang="en" class="main-app"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="apple-itunes-app" content="app-id=1475674905"> <link href="/styles.css" rel="stylesheet" type="text/css"> <link href="/css/legacy-main.css" rel="stylesheet" type="text/css"> </head> </html>
After deleting the body portion from the HTML message, a blank white page is displayed.
Reattempt to access the SSL VPN web page, and users will be directed to a blank white page. Additionally, if inspecting the page, it is possible to see that no login scripts are being called into action.
To revert this change if there is a need to enable SSL VPN web mode, follow the steps below:
From GUI -> System -> Replacement Messages -> Select to edit SSL-VPN Login Page -> Select 'Restore Defaults'.
The SSL VPN web portal will be restored and will be displayed to SSL VPN users.
Note: Restarting the SSL VPN Daemon triggers the SSL VPN Login page to change to the default values.
Method 3: FortiGate CLI (FortiOS v7.4.1 and below):
To remove the SSL VPN web page, apply the following configuration:
config system replacemsg sslvpn sslvpn-login set buffer " " end
To restore the SSL VPN web page, apply the following configuration:
config sys replacemsg sslvpn sslvpn-login unset buffer end
Related articles: Technical Tip: Hardening FortiGate SSL VPN - Best Practices for Enhanced Security |
