Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdiMizil
New Contributor III

Created on ‎01-15-2020 06:37 AM

SSL VPN tunnel mode with 2 different portals

Hi everyone, I have a Fortigate 80E running on 6.2.3 . I have configured SSL VPN for remote users access, installed signed certificate and tested  - running ok . Tunnel mode & web mode both OK. Then I configured 2 Portals : 1st  is for Admins (tunnel and web) - there is a  IPv4 policy in place which grants them access to all the subnets and another one for Internet Access. User accounts are created locally on the firewall. 2nd is for Corprorate users access  which are authenticating against a RADIUS server. There is a dedicated IPv4 policy in place which grants them access to required internal resources and another one for Internet access.  

Issue: ALL users are authenticated against 1st portal from the list - RA management portal and IP addresses are assigned from RA for Admins Pool. ( both scenarios  tested - Forticlient or Web based VPN).

Any ideea how can I have dedicated portals for each group ?

 

Kind regards, Adi

9855
0 Kudos
2 Solutions
emnoc
Esteemed Contributor III

Created on ‎01-15-2020 02:54 PM

have you looked at realms? This should give you want you need.

 

https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7134
0 Kudos
commutator
New Contributor III
In response to emnoc

Created on ‎01-26-2020 10:44 AM

You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.

 

FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.

 

...Fred

View solution in original post

7133
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎01-15-2020 02:54 PM

have you looked at realms? This should give you want you need.

 

https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
7135
0 Kudos
commutator
New Contributor III
In response to emnoc

Created on ‎01-26-2020 10:44 AM

You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.

 

FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.

 

...Fred

7134
0 Kudos
AdiMizil
New Contributor III
In response to commutator

Created on ‎01-28-2020 03:39 AM

@ Ken  and Fred - thanks to pointing me to this approach. I will need web and tunnel for 1st portal and tunnel for 2nd portal - users. 

@ Ken - congratulations for you blog, it's impressive ! Thanks for sharing all that knowledge with everyone.

 

Up to this moment I couldn't do any tests as the FW is in production , but I will give a try as I haven't configured HA and I still  have a 80E available. 

 

Kind regards, 

Adi

7003
0 Kudos
AdiMizil
New Contributor III
In response to AdiMizil

Created on ‎02-15-2020 01:04 AM

That was easy, if you know what you have to do !

 

Firewall rules are very important, I had to create 2 for each realm , one for Internet access and one for internal corporate access. 

 

Works on FortiOs 6.2.3 with  a HA cluster on 80E. 

 

Kind regards, 

Adi 

7003
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.