I am wondering how to achieve the following setup, which is really easy with IPSEC. For various unfortunate reasons it has to be done with SSL-VPN instead.
Client is FortiClient on various platforms, centrally managed by EMS (but I do not think EMS makes a difference here).
Clients get access to two tunnels. One tunnel is configured for split tunnelling, to allow the users to access their local printers and other local services, and the other is configured for full tunnelling, sending all traffic through the Fortigate.
People pick the appropriate tunnel in the FortiClient interface.
There are two portals set up, one is "full", the other is "split", and they are configured the same except "full" has split-tunneling set to disable.
I cannot figure out how to let the users pick the right SSL VPN portal in FortiClient. In IPSEC-VPN it is done by setting local-ID in the client and matching on that in the VPN gateway, but there does not appear to be anything like that in SSL VPN. I can set it up (config authentication rule) so that certain users get the "full" portal and the others get the "split" portal, but the whole point is to allow users to switch as required.
Is this a highly unusual requirement? What do you do?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi I think the easyiest way to achive this in SSL VPN, is to use Realms. https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/724772/ssl-vpn-multi-realm
________________________________________________________
--- NSE 4 ---
________________________________________________________
I read the realm documentation, and it is quite possible that I am being obtuse.
However, from my reading, every user can belong to precisely one realm. That is not helpful for me, unfortunately. I am trying to let the user make the decision about which realm to join, when they start the FortiClient SSL VPN connection.
I accomplish that with IPSEC VPN by providing two separate tunnels that the user can choose between in FortiClient. Each tunnel has a specific local ID which I can match in the Fortigate VPN configuration. I can provide multiple SSL tunnels in the FortiClient as well, but the Fortigate has no way to distinguish between which one the user picked.
Yes, but you can have same user group(s) on different realms. We have this in place and same user can select one of the two sslvpn profiles in forticlient.
________________________________________________________
--- NSE 4 ---
________________________________________________________
I am still confused, thank you for being patient.
How does the Fortigate know which SSLVPN client profile the user selected in FortiClient? What does it match on? Where do I configure this?
config vpn ssl web portal does not mention realms.
config web ssl realm does not seem to have relevant parameters.
no Problem, but there are other limitations I've found if you want same user in split and none split setup I assume on split setup, you have a policy sslvpn interface->user(group)->wan->destination any If so, you can't have the same user(group) in split and none split setup because of destination any (FG will not allow that) But it seems, that the same user can be in different groups, and this could do the trick you have your two portals (split none split) create two user groups let's say split and nosplit and put the user in both groups then crate a realm let's say /split (this will be the decision for forticlient/portalmapping) in the portal mapping page map the split group to the /split realm and the split portal map the nosplit group to the default realm and to the no split portal (or vice versa, as you prefer) in ems create (or clone) a second ssl vpn connection e.g. like split, with your sslvpn url or ip, but add /split to the url in forticlient you can then choose "normal" vpn or split (the realm /split will the redirect users to the split portal) We had the same issue, as some services are "whitelistet" with the FG Pat address, but I doesn't want that all traffic will be routed to the Firewall (as of lot more homeoffice then usual and this will probaly fill up our least line). So I've made exactly this setup, I've different groups (could be local or ad) mapped tho different protals / realms. Without realms and user in different groups, not always the right portal is mapped. Hope it helps
________________________________________________________
--- NSE 4 ---
________________________________________________________
So in FortiClientEMS, where it says Remote Gateway, you can actually input not just an address but also a realm? On the form vpn.mycompany.com/split?
I am going to try that!
Created on 05-14-2020 08:31 AM
I am hitting the problem you highlighted: I cannot distinguish between the realms in the policy, and so the Fortigate will not let me create the mapping. Just like you predicted.
I am proceeding with the workaround of making two groups.
I have to say that the SSL-VPN experience so far has been pretty horrible, compared to IPSEC.
exactly - with the gateway - see attachment yeah, sslvpn is likely a bit "tricky"
________________________________________________________
--- NSE 4 ---
________________________________________________________
It is working! Thank you very much.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.