1 Solution
I believe the SSL VPN will be able to satisfy all your requirements here.
To setup different URLs for each customer you first need to enable SSL VPN Realms which are disabled by default. Goto System > Config > Features and turn on SSL VPN Realms (remember to click Apply to save).
Next create your realms under VPN > SSL > Realms for each of your customers. In the url path enter company-a to link to vpn.example.com./company-a. Next create individual portals for each of the companies. VPN > SSL > Portals. For each of the portals enable tunnel mode and split tunneling. Select the routing addresses you want these specific users to have access to (this will populate the routing table for the users), select the IP pool, deselect Web mode.
Should look similar to this:
Next you need to link the usergroups with the portal with the realm. Go to VPN > SSL > Settings and create your authentication mappings at the bottom. Should look similar to this:
Next you need to create policies to control what each customer has access to. Your source should be the sslvpn+sslvpnaddress+usergroup and your destination should be the VPN interface and remote VPN subnet you want the users to have access to.
Should look something like this:
Lastly remember to add the company-a-sslpool address to your routes. For example, if I'm giving 10.1.1.0/24 addresses to my company-a ssl connections, I would create the following route on the FortiGate:
Once that's done repeat all steps (realm > portal > setting mappings > policy > route) for company-b and company-c.
Hope it helps!
I believe the SSL VPN will be able to satisfy all your requirements here.
To setup different URLs for each customer you first need to enable SSL VPN Realms which are disabled by default. Goto System > Config > Features and turn on SSL VPN Realms (remember to click Apply to save).
Next create your realms under VPN > SSL > Realms for each of your customers. In the url path enter company-a to link to vpn.example.com./company-a. Next create individual portals for each of the companies. VPN > SSL > Portals. For each of the portals enable tunnel mode and split tunneling. Select the routing addresses you want these specific users to have access to (this will populate the routing table for the users), select the IP pool, deselect Web mode.
Should look similar to this:
Next you need to link the usergroups with the portal with the realm. Go to VPN > SSL > Settings and create your authentication mappings at the bottom. Should look similar to this:
Next you need to create policies to control what each customer has access to. Your source should be the sslvpn+sslvpnaddress+usergroup and your destination should be the VPN interface and remote VPN subnet you want the users to have access to.
Should look something like this:
Lastly remember to add the company-a-sslpool address to your routes. For example, if I'm giving 10.1.1.0/24 addresses to my company-a ssl connections, I would create the following route on the FortiGate:
Once that's done repeat all steps (realm > portal > setting mappings > policy > route) for company-b and company-c.
Hope it helps!
First step I would recommend trying is confirming that your authentication is working as intended.
If you've configured the groups via LDAP, double check the common name identifier (CNI). Depending on what you've configured here and your AD settings, the usernames for SSL will either be 'jdoe' or 'John Doe'
The best way to test this is via the CLI. Use the diag test autheserver command to test a username and password and confirm it's working as intended.
The command is like this:
diag test authserver ldap <server_name> <username> <pwd>
For example, if I configure my CNI as 'cn' then my username is in the format of 'John Doe'
fortigate # diagnose test authserver ldap ad "John Doe" m4hpassword authenticate 'John Doe' against 'ad' succeeded! Group membership(s) - CN=SSL Users,OU=Groups,DC=example,DC=com
If I configure my CNI as 'sAMAccountName' then my username is in the format of 'jdoe'
fortigate # diagnose test authserver ldap ad jdoe m4hpassword authenticate 'jdoe' against 'ad' succeeded! Group membership(s) - CN=SSL Users,OU=Groups,DC=example,DC=com
If you're using RADIUS for authentication instead of LDAP then the command changes slightly:
fortigate # diagnose test authserver radius authenticator pap jdoe m4hpassword authenticate 'jdoe' against 'pap' succeeded, server=primary assigned_rad_session_id=549322410 assigned_admin_profile=SSL Users session_timeout=0 secs! Group membership(s) - SSL Users
If your authentication test is successful then the problem may lie elsewhere. If it's not working here then it's worth double checking your authentication server settings, credentials and firewall>authentication server connectivity.
