Fortinet black logo

SSL VPN

SSL VPN

SSL VPN configurations consist of one <options> section, followed by one or more VPN <connection> section(s).

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled>

<dnscache_service_control>0</dnscache_service_control>

<!-- 0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange -->

<prefer_sslvpn_dns>1</prefer_sslvpn_dns>

<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>

<preferred_dtls_tunnel>1</preferred_dtls_tunnel>

<block_ipv6>0</block_ipv6>

<no_dhcp_server_route>0</no_dhcp_server_route>

<no_dns_registration>0</no_dns_registration>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

<keep_connection_alive>1</keep_connection_alive>

</options>

<connections>

<connection>

<name>SSLVPN_Name</name>

<description>Optional_Description</description>

<server>ssldemo.fortinet.com:10443</server>

<username>Encrypted/NonEncrypted_UsernameString</username>

<single_user_mode>0</single_user_mode>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<password>Encrypted/NonEncrypted_PasswordString</password>

<certificate />

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>

<prompt_certificate>0</prompt_certificate>

<prompt_username>0</prompt_username>

<fgt>1</fgt>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[test]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<![CDATA]]>

</script>

</script>

</on_disconnect>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for SSL VPN, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<sslvpn><options> elements

<enabled>

Enable or disable SSL VPN.

Boolean value: [0 | 1]

1

<dnscache_service_control>

FortiClient disables Windows OS DNS cache when an SSL VPN tunnel is established.

The DNS cache is restored after SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use the following XML configuration to control DNS cache

0

<prefer_sslvpn_dns>

When this setting is 0, the custom DNS server from SSL VPN is not added to the physical interface. When this setting is 1, the custom DNS server from SSL VPN is prepended to the physical interface.

Boolean value: [0 | 1]

0

<use_legacy_ssl_adapter>

When this setting is 0, the new SSL driver is used. When this setting is 1, the legacy SSL driver is used.

Boolean value: [0 | 1]

1

<preferred_dtls_tunnel>

DTLS supported only by FortiClient (Windows).

When this setting is 0, FortiClient uses TLS, even if dtls-tunnel is enabled on FortiGate.

When this setting is 1, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If dtls-tunnel is disabled on FortiGate, or tunnel establishment is not successful, TLS is used. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.

Boolean value: [0 | 1]

<block_ipv6>

When this setting is 0, FortiClient allows IPv6 connection.

When this setting is 1, FortiClient blocks IPv6 connection. Only IPv4 connectivity is used when the SSL VPN tunnel is up.

Boolean value: [0 | 1]

0

<no_dhcp_server_route>

When this setting is 0, FortiClient creates the DHCP public server route upon tunnel establishment.

When this setting is 1, FortiClient does not create the DHCP public server route upon tunnel establishment.

Boolean value: [0 | 1]

0

<no_dns_registration>

When this setting is 0, FortiClient registers the SSL VPN adapter's address in the AD domain DNS.

When this setting is 1, FortiClient does not register the SSL VPN adapter's address in the AD domain DNS.

Boolean value: [0 | 1]

0

<disallow_invalid_server_certificate>

When this setting is 0 and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate.

When this setting is 1 and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

Boolean value: [0 | 1]

0

<keep_connection_alive>

Retry restoring connection of an active VPN session.

Boolean value: [0 | 1]

The <connections> XML tag may contain one or more <connection> elements. Each <connection> has the following:

  • Information used to establish an SSL VPN connection
  • on_connect: a script to run right after a successful connection
  • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<name>

VPN connection name.

<description>

Optional description to identify the VPN connection.

<server>

SSL server IP address or FQDN, along with the port number as applicable.

Default port number: 443

<username>

Either encrypted or non-encrypted username on SSL server.

<single_user_mode>

Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer.

Boolean value: [0 | 1]

0

<password>

Either encrypted or non-encrypted password of the given user.

<certificate>

Encrypted certificate name to connect with.

<warn_invalid_server_certificate>

Enable or disable displaying of a warning message if the server certificate is invalid.

Boolean value: [0 | 1]

0

<allow_standard_user_use_system_cert>

When this setting is 1, non-administrator users can use local machine certificates to connect SSL VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect SSL VPN.

Boolean value: [0 | 1]

0

<prompt_certificate>

Request for a certificate during a connection establishment.

Boolean value: [0 | 1]

0

<prompt_username>

Request for a username.

Boolean value: [0 | 1]

1

<fgt>

Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is 1, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration, but not edit it. When this setting is 0, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the <fgt> setting.

Boolean value: [0 | 1]

<ui> elements

The elements of the <ui> XML tag are set by the FortiGate following an SSL VPN connection.

<show_remember_password>

Display or hide the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display or hide the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display or hide the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones.

The <on_connect> and <on_disconnect> tags both have very similar tag structure:

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_disconnect>

The following table provides CDATA XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<os>

The OS for which the script is written.

[windows | MacOSX]

<script>

The MS DOS batch or macOS shell script to run.

<![CDATA[

]]>

Wraps the scripts in CDATA elements.

Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel.

Wherever you write #username# in your script, it is automatically substituted with the XAuth username of the user that connected the tunnel.

Wherever you write #password# in your script, it is automatically substituted with the XAuth password of the user that connected the tunnel.

Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present.

The example scripts above show a script that mounts several network drives after an SSL connection is established. The drives are unmounted with the corresponding scripts in the <on_disconnect> XML tag.

The <on_connect> and <on_disconnect> scripts are optional.

SSL VPN

SSL VPN configurations consist of one <options> section, followed by one or more VPN <connection> section(s).

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled>

<dnscache_service_control>0</dnscache_service_control>

<!-- 0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange -->

<prefer_sslvpn_dns>1</prefer_sslvpn_dns>

<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>

<preferred_dtls_tunnel>1</preferred_dtls_tunnel>

<block_ipv6>0</block_ipv6>

<no_dhcp_server_route>0</no_dhcp_server_route>

<no_dns_registration>0</no_dns_registration>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

<keep_connection_alive>1</keep_connection_alive>

</options>

<connections>

<connection>

<name>SSLVPN_Name</name>

<description>Optional_Description</description>

<server>ssldemo.fortinet.com:10443</server>

<username>Encrypted/NonEncrypted_UsernameString</username>

<single_user_mode>0</single_user_mode>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<password>Encrypted/NonEncrypted_PasswordString</password>

<certificate />

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>

<prompt_certificate>0</prompt_certificate>

<prompt_username>0</prompt_username>

<fgt>1</fgt>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[test]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<![CDATA]]>

</script>

</script>

</on_disconnect>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for SSL VPN, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<sslvpn><options> elements

<enabled>

Enable or disable SSL VPN.

Boolean value: [0 | 1]

1

<dnscache_service_control>

FortiClient disables Windows OS DNS cache when an SSL VPN tunnel is established.

The DNS cache is restored after SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use the following XML configuration to control DNS cache

0

<prefer_sslvpn_dns>

When this setting is 0, the custom DNS server from SSL VPN is not added to the physical interface. When this setting is 1, the custom DNS server from SSL VPN is prepended to the physical interface.

Boolean value: [0 | 1]

0

<use_legacy_ssl_adapter>

When this setting is 0, the new SSL driver is used. When this setting is 1, the legacy SSL driver is used.

Boolean value: [0 | 1]

1

<preferred_dtls_tunnel>

DTLS supported only by FortiClient (Windows).

When this setting is 0, FortiClient uses TLS, even if dtls-tunnel is enabled on FortiGate.

When this setting is 1, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If dtls-tunnel is disabled on FortiGate, or tunnel establishment is not successful, TLS is used. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.

Boolean value: [0 | 1]

<block_ipv6>

When this setting is 0, FortiClient allows IPv6 connection.

When this setting is 1, FortiClient blocks IPv6 connection. Only IPv4 connectivity is used when the SSL VPN tunnel is up.

Boolean value: [0 | 1]

0

<no_dhcp_server_route>

When this setting is 0, FortiClient creates the DHCP public server route upon tunnel establishment.

When this setting is 1, FortiClient does not create the DHCP public server route upon tunnel establishment.

Boolean value: [0 | 1]

0

<no_dns_registration>

When this setting is 0, FortiClient registers the SSL VPN adapter's address in the AD domain DNS.

When this setting is 1, FortiClient does not register the SSL VPN adapter's address in the AD domain DNS.

Boolean value: [0 | 1]

0

<disallow_invalid_server_certificate>

When this setting is 0 and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate.

When this setting is 1 and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

Boolean value: [0 | 1]

0

<keep_connection_alive>

Retry restoring connection of an active VPN session.

Boolean value: [0 | 1]

The <connections> XML tag may contain one or more <connection> elements. Each <connection> has the following:

  • Information used to establish an SSL VPN connection
  • on_connect: a script to run right after a successful connection
  • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<name>

VPN connection name.

<description>

Optional description to identify the VPN connection.

<server>

SSL server IP address or FQDN, along with the port number as applicable.

Default port number: 443

<username>

Either encrypted or non-encrypted username on SSL server.

<single_user_mode>

Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer.

Boolean value: [0 | 1]

0

<password>

Either encrypted or non-encrypted password of the given user.

<certificate>

Encrypted certificate name to connect with.

<warn_invalid_server_certificate>

Enable or disable displaying of a warning message if the server certificate is invalid.

Boolean value: [0 | 1]

0

<allow_standard_user_use_system_cert>

When this setting is 1, non-administrator users can use local machine certificates to connect SSL VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect SSL VPN.

Boolean value: [0 | 1]

0

<prompt_certificate>

Request for a certificate during a connection establishment.

Boolean value: [0 | 1]

0

<prompt_username>

Request for a username.

Boolean value: [0 | 1]

1

<fgt>

Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is 1, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration, but not edit it. When this setting is 0, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the <fgt> setting.

Boolean value: [0 | 1]

<ui> elements

The elements of the <ui> XML tag are set by the FortiGate following an SSL VPN connection.

<show_remember_password>

Display or hide the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display or hide the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display or hide the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones.

The <on_connect> and <on_disconnect> tags both have very similar tag structure:

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_disconnect>

The following table provides CDATA XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<os>

The OS for which the script is written.

[windows | MacOSX]

<script>

The MS DOS batch or macOS shell script to run.

<![CDATA[

]]>

Wraps the scripts in CDATA elements.

Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel.

Wherever you write #username# in your script, it is automatically substituted with the XAuth username of the user that connected the tunnel.

Wherever you write #password# in your script, it is automatically substituted with the XAuth password of the user that connected the tunnel.

Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present.

The example scripts above show a script that mounts several network drives after an SSL connection is established. The drives are unmounted with the corresponding scripts in the <on_disconnect> XML tag.

The <on_connect> and <on_disconnect> scripts are optional.