SSL VPN
This topic contains descriptions of SSL VPN settings:
Configuration |
Description |
---|---|
SSL VPN |
Enable SSL VPN. |
DNS Cache Service Control |
FortiClient disables Windows DNS cache when it establishes an SSL VPN tunnel. The DNS cache is restored after FortiClient disconnects from the SSL VPN tunnel. If you observe that Fortinet single sign on clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache. |
Prefer SSL VPN DNS |
When disabled, EMS does not add the custom DNS server from SSL VPN to the physical interface. When enabled, EMS prepends the custom DNS server from SSL VPN to the physical interface. |
Do Not Accept Invalid Server Certificate |
FortiClient does not complete the requested VPN connection when an invalid SSL VPN server certificate is used. |
Enable Invalid Server Certificate Warning |
FortiClient displays a warning to the user when an invalid SSL VPN certificate is used. |
When you click Add Tunnel in VPN Tunnels, you can create an SSL VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual SSL VPN tunnel creation:
Option |
Description |
|
---|---|---|
Basic Settings |
||
Name |
Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters. |
|
Type |
Select SSL VPN. |
|
Remote Gateway |
Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking +. If one gateway is unavailable, the tunnel connects to the next configured gateway. |
|
Port |
Enter the access port. The default port is 443. |
|
Require Certificate |
Require a certificate. |
|
Prompt for Username |
Prompt for the username when accessing VPN. |
|
Split Tunnel |
|
|
Application Based |
Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface. |
|
|
Type |
Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel. |
|
Local Applications |
You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon. For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:
To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Select the application checkbox, then click Remove to remove it from the list. |
|
Cloud Applications |
You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add. Select the application checkbox, then click Remove to remove it from the list. |
|
Domain |
You can exclude or include domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries. For example, if you configure the VPN tunnel to exclude youtube.com, FortiClient excludes youtube.com and *.youtube.com from the tunnel. Select the application checkbox, then click Remove to remove it from the list. |
Advanced Settings |
||
Enable Single User Mode |
Enable single user mode. |
|
Show Passcode |
Display Passcode instead of Password in the FortiClient VPN tab. |
|
Enable Invalid Server Certificate Warning |
Display a warning to the user that the certificate is invalid before attempting VPN connection. |
|
Save Username |
Save your username. |
|
Allow Non-Administrators to Use Machine Certificates |
Allow non-administrator users to use local machine certificates. |
|
Enforce Acceptance of Disclaimer Message |
Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection. |
|
Failover SSL VPN Connection |
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. |
|
Enable SAML Login |
Enable SAML SSO login for this VPN tunnel. |
|
Redundant Sort Method |
How FortiClient determines the order to try connection to the SSL VPN servers when multiple are defined. FortiClient calculates the order before each SSL VPN connection attempt. When Server is selected, FortiClient tries the order explicitly defined in the server settings. When Ping Speed is selected, FortiClient determines the order by the ping response speed. When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time. Only FortiClient (Windows) supports this feature. FortiClient (macOS) and (Linux) do not support this feature. |
|
Host Tag |
Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags. You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following:
Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel. FortiClient (macOS) and (Linux) do not support this feature. |
|
Customize Host Check Fail Warning |
Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag. For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward. |
|
Show "Remember Password" Option |
Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate. |
|
Show "Always Up" Option |
Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate. |
|
Show "Auto Connect" Option |
Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon. |
|
On Connect Script |
|
Enable the on connect script. Enter your script. |
On Disconnect Script |
|
Enable the disconnect script. Enter your script. |