Cách cấu hình SSL VPN trên thiết bị Fortigate FG A
1. Go to System->Admin->Settings
Here you can setup the port on which the SSL VPN portal will be listening on:
2. Go to Firewall->Address->Address and create a new address object, with the IP range that your SSL VPN users will be assigned:
3. Go to VPN->SSL->Config and tick, “Enable SSL-VPN”. If you only have one SSLVPN range coming into your firewall, at this screen you would also have to select it from IP Pools menu, if you have more than one, than you will define each Range in the portal. When you are done, click “Apply”.
4. Go to VPN->SSL->Portal and create a new portal, press “Settings” at the top of the Screen and, give it an appropriate name and welcome message. Mine are pretty generic, but you should make yours as suggestive as possible especially if you have more than one.
In the “Tunnel Mode” menu, click the “Edit” button (it’s the one with the pencil icon), give a name to your connection, and select the range you want to use. The “Split tunneling” option, allows the user to go to the Internet directly through his connection and not be tunneled to the SSL VPN.
5. Go to User->User->User and define the user(s) that you want to have access to the SSLVPN. These can be local users, or defined on a RADIUS server or a Domain Controller:
6. Go to User->User Group->User Group
Here, you will move the user, into the user group and grant the group SSL VPN access. If you have multiple SSL_VPN groups, be careful to choose the right one. All users login to the same portal, but after they login, based on their account they are given their specific access rights.
7. Go to Firewall->Policy->Policy, and create a new policy from the ssl.root interface, to wherever you want to give your users access. Let’s say for the purposes of this example that you want to give them access to the internal network. Here you can choose all the typical restrictions to apply (what hosts are accessible, what services, schedules and UTM restrictions):
At this point you would be justified in thinking that we are done. I know I was the first time I tried to set this up, but it’s not that simple. A few more things need to be setup:
a) Create a Policy to allow SSLVPN access from the internet to the inside network:
As you can see here, I actually have two groups of SSL-VPN users, each with their own specific access rights. The ranges you will add in the destination address will be pushed out to the users. If you don’t do this, the users’ workstations will just send the traffic destined for the VPN to his default gateway, who will probably drop them, regardless your SSL VPN won’t work.
Surely after all this the SSLVPN will be working, right? Well, actually no. Your firewall still will not know what to do with traffic that it has to send to the SSLVPN range, so it will forward it to the default gateway instead of the ssl.root interface. That’s why you would have to add a static route for this:
Since there is an actual ssl.root interface, that is an unnumbered interface, it doesn’t actually have the IP you defined as the SSL VPN range as an IP address so you won’t get a connected route. It has some(one or more) IP ranges associated with it, but the firewall still won’t know by itself that it should forward traffic destined for those networks to the ssl.vpn interface.