In this example, VDOM-A, VDOM-B and VDOM-C all have the internet connection via vdomlinks through the Root VDOM.

The requirement is to allow specific user groups to access the VDOM internal subnets via SSL VPN separately.

To make this work, follow these steps:

1. Set up SSL VPN on each internal VDOM:

Set up the Vdomlink interfaces as Listen On Interface and set different ports separately. For example, VDOM-A on port 6443, VDOM-B on port 5443 and VDOM-C on port 4443. Create the SSL VPN policy accordingly.

Note:
From 7.4.1 and above, SSL VPN is disabled by default. Refer to update-ssl-vpn-default-behavior-and-visibility-in-the-gui-7-4-1 for more information.

SSL VPN support depends on the firmware version:

• In v7.6.0 and above, SSL VPN is not supported on physical FortiGate devices with 2GB RAM or less. See the notice SSL VPN removed from 2GB RAM models for tunnel and web mode.
• In v7.6.3 and above, SSL VPN tunnel mode is not supported for any FortiGate model. In these firmware versions, SSL VPN web mode is renamed to 'Agentless VPN'.
• The solution is to migrate to IPsec VPN and use IPsec instead of SSL VPN. To migrate to IPsec, see 'Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 - FortiGate 7.6.0 documentation'

2. On the Root VDOM, create a VIP for each vdomlink:

3. On the Root VDOM, create a VIP policy for each SSL VPN VDOM:

    

Users can access the VDOM via SSL VPN.