Hi Guys,
I'm just wondering if you can shed any light on a configuration query I have.
I have a requirement to setup a SSL VPN for 2 separate user groups, who require different levels of access to network resources.
I found this guide detailing how to do it.
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigatesslvpn54/SSLVPN_Examples_54/Multi_Groups_Different_AccessPerms.htm
However my question is, is it possible to achieve the above while still using split tunneling and if so can you point me in the right direction?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes you can host multiple groups with and without split-tunneling
e.g ( various groups and with split tunnel or splitunnel client routes )
config vpn ssl web portal edit "GRUPO1"
set tunnel-mode enable set keep-alive enable set ip-pools "SSLVPNGROUP01"
set split-tunneling-routing-address NET01INTERNALS
set ip-mode user-group
next
edit "GRUPO2"
set tunnel-mode enable set keep-alive enable set ip-pools "SSLVPNGROUP02"
set split-tunneling-routing-address NET02INTERNALS
set ip-mode user-group
next
edit "DEVOPS"
set tunnel-mode enable set keep-alive enable set ip-pools "SSLVPNGROUP03"
set split-tunneling enable
set ip-mode user-group
next
end
PCNSE
NSE
StrongSwan
Thanks for the helpful reply emnoc.
I have a radius server auth for group 1 and two factor ldap+fortitoken auth for group 2
Do i need to apply multiple policy's below or not?
config firewall policy edit 2 set name "Group 1" set uuid da31036e-9ac3-51e6-5f71-562a4cb5acdc set srcintf "ssl.root" set dstintf "Internal" set srcaddr "ssl.vpn.clt.ip_a" set dstaddr "internal.subnets_a" set action accept set schedule "always" set service "HTTP" "HTTPS" set logtraffic disable set groups "group_a" set comments "group_a" next edit 3 set name "Group 2" set uuid 5465621c-3c75-51e7-eea9-9426373df718 set srcintf "ssl.root" set dstintf "Internal" set srcaddr "ssl.vpn.clt.ip_b" set dstaddr "internal.subnets_b" set action accept set schedule "always" set service "HTTP" "HTTPS" set logtraffic disable set groups "group_b" set comments "group_b" next
Yes you could do just that. Apply to policies and even authentication methods could be different between the groups.
[ul]
Other choices would config auth-rule and realms, and here you set auth methods unique for that realm
e.g realm
/roadwarriors1 ( LDAP )
/roadwarriors2 ( RADIUS )
/roadwarriors3 ( local )
! under each group you set the members or auth-server
! here's an method for user ad server for roadwarrier
config match edit 1 set server-name "ROADWARRIERAD1" <----this would be AD server forRoadWarrier group set group-name "OU=user,DC=example,DC=com" next end
Each realm would have a unique fwpolicy and address groups
Take a look at this post of my explain exactly the above, your possibilities and limitations are wide and deep ;)
http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
Disregard the language parameters but the above concept could group like-as uses and with a personal realm for that users groups.
The auth-rule controls exactly just that authentication methods. Than enable or disable split-tunnel per realm as required via the tunnel-portal.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.