| Description |
This article describes when the SSL VPN setting is set to allow tunnel access only and web access is disabled, but users when accessing the https://<FortiGate-ip>:<ssl-vpn-port-number> in the browser, still receive the SSL VPN web login portal.
This article describes how to prevent the SSL VPN web portal from getting displayed to users when SSL VPN web mode is disabled. |
| Scope |
FortiGate. |
| Solution |
Even after disabling SSL VPN web mode from the desired SSL VPN portal, users still receive the SSL VPN web portal login page.
Method 1: FortiGate GUI (FortiOS 7.4.1 and below):
Remove the HTML <body> section of the SSL VPN login page replacement message by following the steps below:
On FortiGate GUI, navigate to System -> Replacement Messages -> SSL-VPN section.
Select to edit 'SSL-VPN Login Portal'.
In the text/html format, select the body part, delete it, and save the configuration.
Note: Remove the %%SSL_HIDDEN%% from the HTML body.
Afterward, make sure the HTM looks like the following: <!DOCTYPE html> <html lang="en" class="main-app"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="apple-itunes-app" content="app-id=1475674905"> <link href="/styles.css" rel="stylesheet" type="text/css"> <link href="/css/legacy-main.css" rel="stylesheet" type="text/css"> </head> </html>
After deleting the body portion from the HTML message, a white blank page is displayed.
Reattempt to access the SSL VPN web page and users will be directed to a white blank page. Additionally, if inspecting the page, it is possible to see that no login scripts are being called into action.
To revert this change if there is a need to enable SSL VPN web mode, follow the steps below:
From GUI -> System -> Replacement Messages -> Select to edit SSL-VPN Login Page -> Select 'Restore Defaults'.
The SSL VPN web portal will be restored and will display to SSL VPN users. Note: Restarting the SSL VPN Daemon triggers the SSL VPN Login page change to the default values.
Method 2: FortiGate CLI (FortiOS 7.4.1 and below):
To remove the SSL-VPN web page run the below set of commands:
FGT#config sys replacemsg sslvpn sslvpn-login FGT(sslvpn-login)#set buffer “ “ FGT(sslvpn-login#end
To restore the SSL VPN web page run the below set of commands:
FGT#config sys replacemsg sslvpn sslvpn-login FGT(sslvpn-login)#unset buffer FGT(sslvpn-login#end
Method 3: Disable the SSL VPN web mode globally (FortiOS v7.4.2 and above): Refer to the following article:
The workarounds are to either use Methods 1 and 2 or the use the external browser for SAML login on FortiClient:
Use a browser as an external user-agent for SAML authentication in an SSL VPN connection
This issue has been fixed on FortiClient MAC 7.0.12, MAC 7.2.4, and MAC 7.4.0. Windows FortiClient does not have this issue patched yet. |
