Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdiMizil
New Contributor III

SSL VPN tunnel mode with 2 different portals

Hi everyone, I have a Fortigate 80E running on 6.2.3 . I have configured SSL VPN for remote users access, installed signed certificate and tested  - running ok . Tunnel mode & web mode both OK. Then I configured 2 Portals : 1st  is for Admins (tunnel and web) - there is a  IPv4 policy in place which grants them access to all the subnets and another one for Internet Access. User accounts are created locally on the firewall. 2nd is for Corprorate users access  which are authenticating against a RADIUS server. There is a dedicated IPv4 policy in place which grants them access to required internal resources and another one for Internet access.  

Issue: ALL users are authenticated against 1st portal from the list - RA management portal and IP addresses are assigned from RA for Admins Pool. ( both scenarios  tested - Forticlient or Web based VPN).

Any ideea how can I have dedicated portals for each group ?

 

Kind regards, Adi

2 Solutions
emnoc
Esteemed Contributor III

have you looked at realms? This should give you want you need.

 

https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
commutator
New Contributor III

You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.

 

FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.

 

...Fred

View solution in original post

4 REPLIES 4
emnoc
Esteemed Contributor III

have you looked at realms? This should give you want you need.

 

https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html

 

I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
commutator
New Contributor III

You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.

 

FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.

 

...Fred

AdiMizil
New Contributor III

@ Ken  and Fred - thanks to pointing me to this approach. I will need web and tunnel for 1st portal and tunnel for 2nd portal - users. 

@ Ken - congratulations for you blog, it's impressive ! Thanks for sharing all that knowledge with everyone.

 

Up to this moment I couldn't do any tests as the FW is in production , but I will give a try as I haven't configured HA and I still  have a 80E available. 

 

Kind regards, 

Adi

AdiMizil
New Contributor III

That was easy, if you know what you have to do !

 

Firewall rules are very important, I had to create 2 for each realm , one for Internet access and one for internal corporate access. 

 

Works on FortiOs 6.2.3 with  a HA cluster on 80E. 

 

Kind regards, 

Adi 

Labels
Top Kudoed Authors