Creating SSL VPNs
To create SSL VPNs, you must be logged in as an administrator with sufficient privileges. Multiple VPNs can be created.
To add SSL-VPN:
- Go to VPN Manager > SSL-VPN.
- Click Add SSL VPN, or click Create New in the content toolbar. The Create SSL VPN dialog box or pane is displayed.
- Configure the following settings, then click OK to create the VPN.
Select a FortiGate device or VDOM.
Specify the connection settings.
Listen on Interface(s)
Define the interface the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port
Enter the port number for HTTPS access.
Allow access from any hosts, or limit access to specific hosts. If limiting access, select the hosts that have access in the Hosts field.
Select to enable idle timeout. When enabled, enter the amount of time that the connection can remain inactive before timing out in theInactive For field, in seconds(10 - 28800, default = 300).
This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Select the signed server certificate to use for authentication. Alternately, select a certificate template that is configured to use the FortiManager CA. See Certificate templates.
Require Client Certificate
Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process. For information on using PKI to provide client certificate authentication, see the Authentication Guide.
Tunnel Mode Client Settings
Specify tunnel mode client settings. These settings determine how tunnel mode clients are assigned IP addresses.
Either automatically assign address, or specify custom IP ranges.
Select to use the same DNS as the client system, or to specify DNS servers. Enter up to two DNS servers to be provided for the use of clients.
Specify WINS Servers
Select to specify WINS servers. Enter up to two WINS servers to be provided for the use of clients.
Allow Endpoint Registration
Select to allow endpoint registration.
Select the users and groups that can access the tunnel.
Note: the default portal cannot be empty.
Create a new authentication/portal mapping entry. Select the Users, Groups, Realm, and Portal, then click OK.
Edit the selected mapping.
Delete the selected mapping or mappings.
Configure advanced SSL VPN options. For information, see the FortiOS CLI Reference: http://help.fortinet.com/cli/fos60hlp/60/index.htm.