Fortinet black logo

Cookbook

SSL VPN with certificate authentication

Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:883493
Download PDF

SSL VPN with certificate authentication

In this recipe, you will configure an SSL VPN tunnel that requires users to authenticate using a certificate.

This recipe requires that you have three certificates:

  • CA certificate
  • server certificate (signed by the CA certificate)
  • user certificate (signed by the CA certificate)

You will install the CA certificate and server certificate on the FortiGate. The user certificate will be installed on the remote user’s PC. The certificates in the example were created using OpenSSL.

1. Enabling certificate management

Go to System > Feature Select and make sure that Certificates is enabled.

2. Installing the server certificate

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for your certificate, and enter the Password. You can also change the Certificate Name.

The server certificate now appears in the list of Certificates.

3. Installing the CA certificate

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

Go to System > Certificates and select Import > CA Certificate.

Select Local PC, then select the certificate file.

The CA certificate now appears in the list of External CA Certificates (CA_Cert_1).

4. Creating PKI users and a user group

To use certificate authentication, PKI users must be created in the CLI. Go to Dashboard and enter the following commands into the CLI Console widget:

config user peer
    edit rdiaz
        set ca CA_Cert_1
        set subject User01
    next
end

Make sure that subject matches the name of the user certificate (in this example, User01)

Now that you have created a PKI user, a new menu has been added to the GUI. You may need to refresh the GUI before the menu appears. Go to User & Device > User group > PKI to see the new user listed.

Edit the user account and expand Two-factor authentication. Enable Require two-factor authentication and set a Password for the account.

Go to User & Device > User > User Groups and create a group for SSL VPN users. Add the new user to the group.

5. Creating an SSL VPN portal

Go to VPN > SSL-VPN Portals.

Edit the full-access portal to confirm the default configuration.

Make sure that Enable Split Tunneling is disabled so that all SSL VPN traffic will go through the FortiGate unit.

6. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings.

Under Connection Settings, set Listen on Interface(s) to wan1. To avoid admin port conflicts, set Listen on Port to 10443.

Set Server Certificate to the authentication certificate and enable Require Client Certificate.

Under Authentication/Portal Mapping, assign the user group to the full-access portal. If necessary, assign a portal for All Other Users/Groups.

7. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > IPv4 Policy. Create a security policy allowing SSL VPN users to access the internal network.

Set Incoming Interface to ssl.root. Set Source to all and include the new SSL VPN User’s group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options.

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

Make sure that NAT is enabled.

8. Installing the user certificate

Every user should have a unique user certificate, so that you can distinguish each user and so that it is possible to revoke a user’s certificate when necessary.

Internet Explorer or Safari (on Windows or Mac OS):

If you are using Windows 7/8/10, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate into the Personal store.

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

FortiClient (on Windows or Mac OS)

Open FortiClientand go to Remote Access > Configure VPN. Create a new SSL VPN connection.

Set the Connection Name, Remote Gateway, and Customize port. Enable Client Certificate and select the authentication certificate.

Firefox (on Windows or Mac OS)

Depending on the operating system, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Your Certificates list. Import the certificate file.

9. Results

Using a web browser

Browse to the SSL VPN portal (https://172.20.120.184:10443).

When prompted,select the user certificate.

Enter user credentials when requested.

You are able to connect to the SSL VPN web portal.

Using FortiClient

Open FortiClient, select the newly created VPN, enter user credentials and click Connect.

On the FortiGate, go to Monitor > SSL-VPN Monitor. You can see that the user is currently connected to the VPN.

The first instance correlates to the SSL VPN Web portal connection while the second entry relates to the FortiClient connection.

SSL VPN with certificate authentication

In this recipe, you will configure an SSL VPN tunnel that requires users to authenticate using a certificate.

This recipe requires that you have three certificates:

  • CA certificate
  • server certificate (signed by the CA certificate)
  • user certificate (signed by the CA certificate)

You will install the CA certificate and server certificate on the FortiGate. The user certificate will be installed on the remote user’s PC. The certificates in the example were created using OpenSSL.

1. Enabling certificate management

Go to System > Feature Select and make sure that Certificates is enabled.

2. Installing the server certificate

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for your certificate, and enter the Password. You can also change the Certificate Name.

The server certificate now appears in the list of Certificates.

3. Installing the CA certificate

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

Go to System > Certificates and select Import > CA Certificate.

Select Local PC, then select the certificate file.

The CA certificate now appears in the list of External CA Certificates (CA_Cert_1).

4. Creating PKI users and a user group

To use certificate authentication, PKI users must be created in the CLI. Go to Dashboard and enter the following commands into the CLI Console widget:

config user peer
    edit rdiaz
        set ca CA_Cert_1
        set subject User01
    next
end

Make sure that subject matches the name of the user certificate (in this example, User01)

Now that you have created a PKI user, a new menu has been added to the GUI. You may need to refresh the GUI before the menu appears. Go to User & Device > User group > PKI to see the new user listed.

Edit the user account and expand Two-factor authentication. Enable Require two-factor authentication and set a Password for the account.

Go to User & Device > User > User Groups and create a group for SSL VPN users. Add the new user to the group.

5. Creating an SSL VPN portal

Go to VPN > SSL-VPN Portals.

Edit the full-access portal to confirm the default configuration.

Make sure that Enable Split Tunneling is disabled so that all SSL VPN traffic will go through the FortiGate unit.

6. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings.

Under Connection Settings, set Listen on Interface(s) to wan1. To avoid admin port conflicts, set Listen on Port to 10443.

Set Server Certificate to the authentication certificate and enable Require Client Certificate.

Under Authentication/Portal Mapping, assign the user group to the full-access portal. If necessary, assign a portal for All Other Users/Groups.

7. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > IPv4 Policy. Create a security policy allowing SSL VPN users to access the internal network.

Set Incoming Interface to ssl.root. Set Source to all and include the new SSL VPN User’s group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options.

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

Make sure that NAT is enabled.

8. Installing the user certificate

Every user should have a unique user certificate, so that you can distinguish each user and so that it is possible to revoke a user’s certificate when necessary.

Internet Explorer or Safari (on Windows or Mac OS):

If you are using Windows 7/8/10, open the certificate file and select Install Certificate. The Import Wizard appears.

Import the certificate into the Personal store.

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

FortiClient (on Windows or Mac OS)

Open FortiClientand go to Remote Access > Configure VPN. Create a new SSL VPN connection.

Set the Connection Name, Remote Gateway, and Customize port. Enable Client Certificate and select the authentication certificate.

Firefox (on Windows or Mac OS)

Depending on the operating system, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Your Certificates list. Import the certificate file.

9. Results

Using a web browser

Browse to the SSL VPN portal (https://172.20.120.184:10443).

When prompted,select the user certificate.

Enter user credentials when requested.

You are able to connect to the SSL VPN web portal.

Using FortiClient

Open FortiClient, select the newly created VPN, enter user credentials and click Connect.

On the FortiGate, go to Monitor > SSL-VPN Monitor. You can see that the user is currently connected to the VPN.

The first instance correlates to the SSL VPN Web portal connection while the second entry relates to the FortiClient connection.