Christopher, you are the BOSS! Now I can see them all. But I cannot find how to select which one clients will connect to (presently not an issue: when I go to https://my-forti:10443 I get then correct one; it is the only with a policy). Thank you Rodeca P.S. There were too much changes (hidings) in this v5 GUI: somewhat Apple-ish

I' ll do some research to understand all this. As I only have to see my SSL config only once a year (or less), I have time. Most of my VPN are IPsec. I' m not averse (well, a little) to changes but to " hidingness" . And perhaps a little " lazy" to changes as well. Thank you again, Rodeca

Hi if you like to confiure under 5.2.x a SSL VPN Portal I suggest to do it over CLI because it is easier and more visible how it works. Following has to be done: Basics Are: Address Object internal LAN net-lan-192.168.0.0-24 Address Object IP-Pool' s net-ip-pool-10.10.0.0-24 User user-1 (member of gr-ssl-vpn-tunnel / gr-ssl-vpn-portal Groupe gr-ssl-vpn-tunnel Groupe gr-ssl-vpn-portal NOTE To activate REALM Function activate position: System > Config > Features > Show More > SSL-VPN Realms After that you can find REALM under: VPN > SSL > Realms VPN SSL Settings Web Portal # config vpn ssl web portal # edit [Name of WebPortal " web-acces.local" ] # set tunnel-mode disable # set ipv6-tunnel-mode disable # set web-mode enable # set cache-cleaner disable # set host-check none # set limit-user-logins enable # set mac-addr-check disable # set os-check disable # set virtual-desktop disable # set auto-prompt-mobile-user-download disable # set display-bookmark enable # set user-bookmark enable # set config bookmark-group # set edit " Intranet-Kategorie" # set config bookmarks # set edit " Intranet" # set set description " Intranet Site" # set set url " www.mydomain.intra" # set end # set display-connection-tools enable # set display-forticlient-download disable # set display-history enable # set display-history-limit 10 # set display-status enable # set heading " Welcome to mydomain.ch" # set page-layout double-column # unset redir-url # set theme blue # set custom-lang en # end VPN SSL Settings Tunnel Mode # config vpn ssl web portal # edit [Name of the Portal " tunnel-acces.local" ] # set tunnel-mode enable # set ipv6-tunnel-mode disable # set web-mode disable # set cache-cleaner disable # set host-check none # set limit-user-logins enable # set mac-addr-check disable # set os-check disable # set virtual-desktop disable # set ip-mode range # set auto-connect disable # set keep-alive enable # set save-password enable # set ip-pools [Address Object for IP Pool SSL VPN exampel " net-ip-pool-10.10.0.0-24" ] # set split-tunneling enable # set split-tunneling-routing-address [Address Object for destination LAN example " net-lan-192.168.0.0-24" ] # set dns-server1 [IPv4 Addresse for DNS Server] # set dns-server2 0.0.0.0 # set wins-server1 0.0.0.0 # set wins-server2 0.0.0.0 # end VPN SSL Settings Realm # config vpn ssl web realm # edit [Name of Realm example " tunnel" ] # set max-concurrent-user 100 # set login-page " <html> <head> <meta http-equiv=\" Content-Type\" content=\" text/html; charset=UTF-8\" > <title> login </title> <meta http-equiv=\" Pragma\" content=\" no-cache\" > <meta http-equiv=\" cache-control\" content=\" no-cache\" > <meta http-equiv=\" cache-control\" content=\" must-revalidate\" > <link href=\" /sslvpn/css/login.css\" rel=\" stylesheet\" type=\" text/css\" > <script type=\" text/javascript\" > if (top && top.location != window.location) top.location = top.location; if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); } </script> </head> <body class=\" main\" > <center> <table width=\" 100%\" height=\" 100%\" align=\" center\" class=\" container\" valign=\" middle\" cellpadding=\" 0\" cellspacing=\" 0\" > <tr valign=middle> <td> <form action=\" %%SSL_ACT%%\" method=\" %%SSL_METHOD%%\" name=\" f\" autocomplete=\" off\" > <table class=\" list\" cellpadding=10 cellspacing=0 align=center width=400 height=180> <tr class=\" dark\" > <td colspan=2> <b> <br> WARNING: <br> <p style=\" text-align:justify; margin-left:0px; margin-right:0px\" > You must have prior authorization to login to this system. All connections are logged and monitored. By login to this system you fully consent to all monitoring. Unauthorized login or use will be prosecuted to the full extent of the law. You have been warned! </p> <br> </b> </td> </tr> %%SSL_LOGIN%% <tr> <td> </td> <td id=login> <input type=button name=login_button id=login_button value=\" Login\" onClick=\" try_login()\" border=0> </td> </tr> </table> %%SSL_HIDDEN%% </form> </td> </tr> </table> </center> </body> <script> document.forms[0].username.focus(); </script> </html>" # end VPN SSL Settings # config vpn ssl settings # set reqclientcert disable # set sslv2 disable # set sslv3 enable # set tlsv1-0 enable # set tlsv1-1 enable # set tlsv1-2 enable # set ssl-big-buffer disable # set ssl-insert-empty-fragment enable # set ssl-client-renegotiation disable # set force-two-factor-auth disable # set servercert self-sign # set algorithm default # set idle-timeout 1800 # set auth-timeout 28800 # set auto-tunnel-static-route disable # set tunnel-ip-pools [Address Object for IP Pool SSL VPN example" net-ip-pool-10.10.0.0-24" ] # set dns-server1 [IPv4 Addresse for DNS Server] # #set dns-server2 0.0.0.0 # #set wins-server1 0.0.0.0 # #set wins-server2 0.0.0.0 # set route-source-interface disable # set url-obscuration disable # set http-compression disable # set http-only-cookie enable # set port 10443 # set port-precedence enable # set auto-tunnel-static-route disable # set source-interface [Interface Definition for SSL Listening example " wan1" ] # set source-address [Definition Address Object or " all" ] # set source-address-negate disable # unset source-address6 # set default-portal " web-access.intra" # config authentication-rule # edit 1 # set source-interface [Interface ISP example " wan1" ] # set source-address [Definition Address Object or " all" ] # set source-address-negate disable # unset source-address6 # set source-address6-negate disable # set groups " gr-ssl-vpn-tunnel" # set portal " tunnel-acces.local" # set realm tunnel # set client-cert disable # set cipher any # set auth local # next # edit 2 # set source-interface " wan1" # set source-address " all" # set source-address-negate disable # unset source-address6 # set source-address6-negate disable # set users local # set groups " gr-ssl-vpn-portal" # set portal " web-acces.local" # unset realm # set client-cert disable # set cipher any # set auth local # next # end # end At least implement a Firewall Policy Rule: hope this helps have fun Andrea

My apologies. I am presently working on other matters and the SSL problem was not an urgent issue: I don' t know why my present configuration works, but it works. Although I appreciate very much all your work (thank you too, Andrea), I haven' t now the time for analyzing it and testing it. And applying it: in fact, I' ll have to reconfigure my present VPNs to adapt it to the new fortios. But it' ll not be before a week or more. Regards Ro