Creating SSL VPNs
To create SSL VPNs, you must be logged in as an administrator with sufficient privileges. Multiple VPNs can be created.
To add SSL-VPN:
- Go to VPN Manager > SSL-VPN Settings.
- Click Create New in the content toolbar. The Create SSL VPN Settings pane is displayed.
- Configure the following settings, then click OK to create the VPN.
Device
Select a FortiGate device or VDOM.
Connection Settings
Specify the connection settings.
Listen on Interface(s)
Define the interface the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port
Enter the port number for HTTPS access.
Restrict Access
Allow access from any hosts, or limit access to specific hosts. If limiting access, select the hosts that have access in the Hosts field.
Idle Logout
Select to enable idle timeout. When enabled, enter the amount of time that the connection can remain inactive before timing out in theInactive For field, in seconds(10 - 28800, default = 300).
This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Server Certificate
Select the signed server certificate to use for authentication. Alternately, select a certificate template that is configured to use the FortiManager CA. See Certificate templates.
Require Client Certificate
Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process. For information on using PKI to provide client certificate authentication, see the Authentication Guide.
Tunnel Mode Client Settings
Specify tunnel mode client settings. These settings determine how tunnel mode clients are assigned IP addresses.
Address Range
Either automatically assign address, or specify custom IP ranges.
DNS Server
Select to use the same DNS as the client system, or to specify DNS servers. Enter up to two DNS servers to be provided for the use of clients.
Specify WINS Servers
Select to specify WINS servers. Enter up to two WINS servers to be provided for the use of clients.
Allow Endpoint Registration
Select to allow endpoint registration.
Authentication/Portal Mapping
Select the users and groups that can access the tunnel.
Note: the default portal cannot be empty.
Create New
Create a new authentication/portal mapping entry. Select the Users, Groups, Realm, and Portal, then click OK.
Edit
Edit the selected mapping.
Delete
Delete the selected mapping or mappings.
Advanced Options
Configure advanced SSL VPN options. For information, see the FortiOS CLI Reference.