Configuring certificate-based authentication

Tunnel mode client configuration

FortiOS 5.6 SSL VPN Setup examples
Yes, I think it does. Love your site, full of great information on a fantastic but under documented product line. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global. I think that the Client certificates must be installed in the personal folder, not in the root certifitcate folder and that's why you can't see it after you installed it. You can see that the user is currently connected to the VPN. Name of your department. To accommodate the two groups of users, split an otherwise unused subnet into two ranges.

2. Installing the server certificate

SSL VPN with certificate authentication

The Import Wizard appears. Import the certificate using the Import Wizard. In order to connect to the VPN with FortiClient , you will first have to use the above instructions to install the certificate for your OS.

Firefox has its own certificate store. If you will be using Firefox to connect to the VPN, then the user certificate must be installed in this store, rather than in the OS. Skip to content Share this post: Victoria Martin Technical Writer at Fortinet.

She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter. Latest posts by Victoria Martin see all Episode Security Round Table 2 - September 19, Episode You may need to refresh the GUI before the menu appears.

If necessary, Apply your changes. Add the new user to the group. Adding security policies for access to the Internet and internal network. The Subsession entry indicates the split tunnel which redirects to the Internet.

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate.

Connections to the Internet are routed back out the head office FortiGate unit to the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Create a normal security policy from ssl. Once connected, you can connect to the head office server or browse to web sites on the Internet. You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit.

In this example configuration, there are two users:. Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance. To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses. To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users. You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit.

Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page You need to define a static route to allow this. See Creating the tunnel client range addresses on page Client device certificate authentication with multiple groups In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees in a specific OU in AD will be required to have a device certificate to connect, while vendors in a separate OU in AD will not be required to have a device certificate.

The Authentication-rule option is only available in theCLI as an advanced setting to achieve your requirements. It is not available on the GUI. Love your site, full of great information on a fantastic but under documented product line.

We have several network zones configured and would like to apply network policies for remote users based on group membership. Any chance you have a post about such a scenario? Notify me of follow-up comments by email. Notify me of new posts by email. This site uses Akismet to reduce spam. Learn how your comment data is processed. Skip to content Setup examples The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page The following examples are included: Secure Internet browsing Split Tunnel Multiple user groups with different access permissions Client device certificate authentication with multiple groups Secure Internet browsing This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic.

Add an authentication rule for the remote user: Split Tunnel In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Complete the following and select OK: Multiple user groups with different access permissions You might need to provide access to several user groups with different access permissions.

In this example configuration, there are two users: General configuration steps Create firewall addresses for:

Secure Internet browsing