Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jimmy10
New Contributor II

Created on ‎05-02-2024 03:16 AM

2 separate SSLVPNs with 2 separate SSL certificates

Hi,

 

I am trying to figure out if I can setup 2 separate SSLVPNs with 2 separate SSL certificates, but I am getting nowhere.

Is this possible?

Labels:
1046
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to jimmy10

Created on ‎05-02-2024 06:48 AM

Than the only possible way as also suggested previously is to use a single certificate with multiple SAN. This can be easily done in a private CA but for public signed certificates it may be difficult to get.

SANs.PNG

In case you need separate SSL VPN configurations, you could also use VDOMs. It allows individual SSL VPN configurations for each VDOM in the FGT.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

993
5 REPLIES 5
funkylicious
SuperUser
SuperUser

Created on ‎05-02-2024 04:09 AM

Hi,

As far as I know, you cannot defined 2 different certificate under the SSLVPN settings.

What you can do, is defined within the certificate 2 SANs resolving in the same IP address of the FGT listening on SSLVPN.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HTTPS-SSL-Certificate-Installati...

"jack of all trades, master of none"
"jack of all trades, master of none"
1021
ebilcari
Staff
Staff

Created on ‎05-02-2024 04:53 AM

Are you trying to configure two completely different SSL VPN using two different public IPs and Domains (URL) or just need two URL and certificates pointing on the same SSL VPN IP/interface?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1010
jimmy10
New Contributor II

Created on ‎05-02-2024 06:16 AM

Hi ebilcari,

I just need two URL and certificates pointing on the same SSL VPN IP/interface.

1000
0 Kudos
ebilcari
Staff
Staff
In response to jimmy10

Created on ‎05-02-2024 06:48 AM

Than the only possible way as also suggested previously is to use a single certificate with multiple SAN. This can be easily done in a private CA but for public signed certificates it may be difficult to get.

SANs.PNG

In case you need separate SSL VPN configurations, you could also use VDOMs. It allows individual SSL VPN configurations for each VDOM in the FGT.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
994
localhost
Contributor III

Created on ‎08-26-2024 08:22 AM

Since FortiGate 7.0.2, it is possible to assign different certificates to different realms.

The realm must be assigned in the SSLVPN-Settings authentication rules.

If virtual-host-server-cert is not defined in the realm configuration, the certificate which is configured under vpn ssl settings is used.

 

config vpn ssl web realm
    edit "saml"
        set virtual-host "vpn1.company1.com"
        set virtual-host-only enable
    next
    edit "saml2"
        set virtual-host "vpn2.company1.com"
        set virtual-host-only enable
        set virtual-host-server-cert "vpn2.company1.com_2024"
    next
end

 

config vpn ssl settings
    config authentication-rule
        edit 1
            set groups "AT_USERS_SAML" "AU_USERS_SAML"
			set portal "SSL_INT_PORTAL"
            set realm "saml"
        next
        edit 2
            set groups "AT_USERS_SAML" "AU_USERS_SAML"
            set portal "SSL_INT_PORTAL"
            set realm "saml2"
        next
    end
end

 

481
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.