Latest Posts

Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN

IPSec Site to Site VPN Configuration Series:
  1. Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs
  2. Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs
  3. Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting
  4. Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN
SSL VPNs establish connectivity using SSL, which functions at Levels 4 - 5 (Transport and Session layers). Information is encapsulated at Levels 6 - 7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way.

FortiOS supports the SSL (not SSL1.0) and TLS (TLS1.3) versions defined below:

Defined
ProtocolYear
SSL 1.0n/a
SSL 2.01995 - RFC 6176
SSL 3.01996 - RFC 6101
TLS 1.01999 - RFC 2246
TLS 1.12006 - RFC 4346
TLS 1.22008 - RFC 5246
TLS 1.3TBD


When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on username, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode. There are three types of mode:

  1. Web-only Mode
  2. Tunnel Mode
  3. Port Forwarding Mode (Proxy Mode)


 Lab Topology:


Configuration Steps:

1. Create SSL VPN Portal



 2. Create Remote Users and Groups



 3. Create Security Policies

 3.1 SSL-VPN Rule from WAN1 to Internal

 3.2 Firewall Address Policy from SSL Tunnel Address to Internal



 4. Test



Reference:

  1. FortiOS™ Handbook - SSL VPN (VERSION 5.2.2)
  2. How to setup SSL VPN (Web & Tunnel mode) for remote access
  3. Chapter 16 SSL VPN for FortiOS 5.0
  4. Setup examples : Remote Access with SSLVPN















No comments