|
Step 1: Create a local user on the FortiGate.
Navigate below:
To create users from the GUI:
- Select User & Authentication then go to User definition.
- Select + create new.
- Enter the user name, then enter the password and select OK.
Step 2: SSL VPN User Groups:
- Go to User & Authentication -> User Group.
- Select + Create new and enter the name, then select Next.
- Add the user to the member list.
- Select OK.
Step 3: SSL VPN portal settings:
- If the tunnel is full access, then disable the split tunnel (in that case the internet traffic from the user will also reach the FortiGate).
- If the user wants access to only the internal server, it must only have the LAN enabled on the split tunnel.
- In the source IP pools, enter the SSL VPN address (the source pool on the SSL VPN portal takes precedence over the source pool present in the SSL VPN settings).
- Select OK.
Step 4:
- Enter the listing port (internet link).
- Enter the listen port (like 443).
- Choose the server certificate.
- Enter the SSL address Range (tunnel address 10.212.134.200-10.212.134.230).
- Add the SSL VPN users and Groups under the Authentication/portal mapping.
Note the port 443 for FortiGate GUI access, then use a different custom port for the SSL VPN listen port.
Step 5:
- Create a policy and SSL VPN into the internet.
- SSL VPN to the LAN network.
The same thing needs to create a policy for SSL VPN to LAN.
Step 6: FortiClient setting.
Note:
After connecting the VPN successfully, the Tunnel users will receive IPs in the range of 10.212.134.200 - 10.212.134.230.
Useful commands:
get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
dia vpn ssl statistics
exec vpn sslvpn list
get system status
diag vpn ssl stats
Useful commands for SSL VPN connection troubleshooting:
diag debug application fnbamd -1
diag debug application sslvpn -1
diag debug enable
Related document:
SSL VPN full tunnel for remote user
|
