I am wondering how to achieve the following setup, which is really easy with IPSEC. For various unfortunate reasons it has to be done with SSL-VPN instead.
Client is FortiClient on various platforms, centrally managed by EMS (but I do not think EMS makes a difference here).
Clients get access to two tunnels. One tunnel is configured for split tunnelling, to allow the users to access their local printers and other local services, and the other is configured for full tunnelling, sending all traffic through the Fortigate.
People pick the appropriate tunnel in the FortiClient interface.
There are two portals set up, one is "full", the other is "split", and they are configured the same except "full" has split-tunneling set to disable.
I cannot figure out how to let the users pick the right SSL VPN portal in FortiClient. In IPSEC-VPN it is done by setting local-ID in the client and matching on that in the VPN gateway, but there does not appear to be anything like that in SSL VPN. I can set it up (config authentication rule) so that certain users get the "full" portal and the others get the "split" portal, but the whole point is to allow users to switch as required.
Is this a highly unusual requirement? What do you do?