SSL VPN for Remote Users

Video Activity

In this video, you will learn how to configure SSL VPN for a remote worker to connect to a FortiGate-protected network, and enforce your security policies. You will create a remote worker named Jack. When Jack works at home, or on his travels, he can go to the web portal using any device with Internet access and FortiClient. The SSL VPN tunnel prov...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 35 minutes
Difficulty
Beginner
CEU/CPE
2
Video Description

In this video, you will learn how to configure SSL VPN for a remote worker to connect to a FortiGate-protected network, and enforce your security policies. You will create a remote worker named Jack. When Jack works at home, or on his travels, he can go to the web portal using any device with Internet access and FortiClient. The SSL VPN tunnel provides an encrypted communication path for Jack to connect to internal network connections and protected Internet access. Visit Fortinet's documentation library at http://docs.fortinet.com.

Video Transcription
00:00
>> In this video, you will learn how to configure
00:00
SSL VPN for remote worker
00:00
to connect to a FortiGate protected network,
00:00
and enforce your security policies.
00:00
You'll create a remote worker named Jack.
00:00
When Jack works at home or on his travels,
00:00
he can go to the web portal using any device
00:00
with Internet access and FortiClient.
00:00
The SSL VPN tunnel provides
00:00
an encrypted communication path for
00:00
Jack to connect to internal network connections
00:00
and protected Internet access.
00:00
First, you are going to set up
00:00
the VPN portal for both tunnel mode and web mode.
00:00
Go to VPN,
00:00
SSL, Portals,
00:00
edit the full-access portal.
00:00
Enable Tunnel Mode.
00:00
Do not enable split tunneling.
00:00
This will keep all your Internet traffic going through
00:00
the FortiGate unit and be subject to security profiles.
00:00
Enable Web mode.
00:00
Also enable status information,
00:00
connection tool, and FortiClient download.
00:00
Prompt mobile users to download the FortiClient app.
00:00
Enable user bookmarks and
00:00
Create New in the predefined bookmark area.
00:00
Bookmarks are used as links
00:00
to internal network resources.
00:00
To connect to your Windows server,
00:00
add a bookmark for a remote desktop connection,
00:00
set the category to remote desktop.
00:00
For the name, enter Windows Server.
00:00
Set the type to RDP.
00:00
Enter your host's network address.
00:00
For the username, enter Jack.
00:00
Enter a safe password.
00:00
The same username and password you just entered will
00:00
be used in the next step to create the user Jack.
00:00
Next, go to User and Device,
00:00
User, User Definition to create a remote user.
00:00
For the username, enter Jack,
00:00
enter the same same safe password.
00:00
Add the email address,
00:00
phone number, and service type.
00:00
Select Enable.
00:00
Then go to User and Device,
00:00
User, User Groups
00:00
to create a group for your remote user.
00:00
Create a user group for SSL VPN connections.
00:00
Set the type to firewall,
00:00
add Jack as a member.
00:00
Before you begin, ensure that
00:00
your SSL VPN tunnel address range
00:00
is different from that of your internal network.
00:00
Go to Policy and Objects, Objects,
00:00
Addresses to add an address for the local network.
00:00
Create a local LAN address with
00:00
the local subnet and ensure visibility is selected.
00:00
Go to VPN, SSL,
00:00
Settings to define how users can connect and
00:00
interact with SSL VPN portals on your FortiGate.
00:00
Set Listen on Interfaces to your external interface.
00:00
Listen on Port 443 and allow access from any hosts.
00:00
Select Specify Custom IP ranges and set the IP range to
00:00
the SSL VPN tunnel under
00:00
Authentication Portal Mapping at
00:00
>> the SSL VPN user group.
00:00
>> Go to Policy and Objects,
00:00
Policy, IPv4,
00:00
and create two security policies to allow
00:00
internal network access and Internet access.
00:00
Create the first policy.
00:00
Set the incoming interface to the SSL route,
00:00
the source address to the SSL_VPN_Tunnel_Address 1,
00:00
the source user to the sslvpn_group,
00:00
and set the outgoing interface
00:00
to your internal interface so that
00:00
the VPN traffic can flow between
00:00
the remote user and the FortiGate.
00:00
Set destination address to your local LAN address.
00:00
Enable NAT and configure
00:00
any remaining firewall and security options as desired.
00:00
Next, create a second security policy,
00:00
allowing SSL VPN access to the Internet.
00:00
Set the incoming interface to
00:00
the VPN tunnel interface SSL route.
00:00
The source address to SSLVPN_Tunnel_Address 1,
00:00
the source user to SSL VPN_group,
00:00
the outgoing interface to your external interface,
00:00
which is usually WAN 1.
00:00
Set the destination address to
00:00
all and configure the rest as normal.
00:00
Finally, set your FortiGate unit to
00:00
verify that users have current antivirus software.
00:00
Go to System, Status,
00:00
dashboard, and open the CLI console.
00:00
Enter config vpn ssl web portal, edit full-access.
00:00
Set host-check av end.
00:00
These commands enable the host to check for
00:00
compliant antivirus software on
00:00
the remote user's computer.
00:00
Go to VPN, SSL,
00:00
Settings and find your web mode
00:00
URL to access the VPN portal.
00:00
Login to the portal using Jack's user credentials.
00:00
The FortiGate unit performs the host check.
00:00
After the check is complete,
00:00
the portal should appear.
00:00
You may need to install
00:00
the FortiClient application using
00:00
the available download link.
00:00
Sign in to the FortiClient application with
00:00
Jack's user credentials for remote access.
00:00
Connect to the SSL VPN tunnel.
00:00
Select the bookmark Remote
00:00
Desktop link to begin
00:00
an RDP session with the Windows Server.
00:00
Ensure that you can successfully browse the Internet.
00:00
Then quit the Java Applet.
00:00
Then go to VPN Monitor,
00:00
SSL VPN monitor to verify the list of SSL users.
00:00
Thank you for watching.
00:00
For more information,
00:00
you can access Fortinet's documentation library
00:00
at docs.fortinet.com.
Up Next