Scribd
Upload
20 views

101 Remote Access SSL Tunnel VPN

Uploaded by

eshensanjula2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views

101 Remote Access SSL Tunnel VPN

Uploaded by

eshensanjula2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

SSL Tunnel Mode VPN Lab:

Remote Access VPN


Outside Layer 3 Interface Port1– 192.168.1.1/24
DMZ Layer 3 Interface Port4 – 10.0.4.0/24 & 10.0.5.0/24
Outside Network 172.29.129.0/24
Management IP Address Port1-192.168.100.200/24
DMZ SRV1 IP Address 10.0.4.1/24
DMZ SRV2 IP Address 10.0.5.2/24
Users and Groups HR Group, IT Group and SAL Group
WAN-Client IP Address 172.29.129.24/24

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Configuring SSL VPN Tunnel:
Go to VPN > SSL-VPN Portals to create a tunnel mode, Enable Split Tunneling, set Routing
Address Override.

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to WAN. To avoid port conflicts, set
Listen on Port to 4433. Set Restrict Access to Allow access from any host. In my case the
Fortinet_Factory certificate is used as the Server Certificate.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-
ADDR1.

Under Authentication/Portal Mapping, add the SSL VPN user group and map it to the Web-
access portal. If necessary, map a portal for All Other Users/Groups.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


On the top of SSL-VPN Settings click on No SSL-VPN policies exist. Click here to create a new
SSL-VPN policy using these settings.

Security Policy:
Go to Policy & Objects > Firewall Policy. Add a security policy allowing access to the DMZ
network through the VPN tunnel interface. Set Incoming Interface to ssl.VPN tunnel interface
and Outgoing Interface to the DMZ-Zone interface. Select Source and set Address to all and
Source User to the SSL-VPN user group. Set Destination Address to the DMZ address, Service to
ALL, and enable NAT. Configure any remaining firewall and security options as desired.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Add a second security policy allowing SSL VPN access to the Internet. For this policy, Incoming
Interface is set to ssl.root, Outgoing Interface is set to WAN, and Destination is set to all.

External Host:
Add new node Windows 10 to the topology and connect to external Internet cloud, set the IP
Address in 172.29.129.0 range while set the default Gateway to 172.29.129.182

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


FortiClient:
The FortiClient VPN Setup Wizard will appear. Agree to the License Agreement and click Next.

Leave the default settings as they are for the Destination Folder and click Next. Click Install.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


After the Setup Wizard is finished, click Finish. It will create SSL VPN Virtual Adopter.

Open the FortiClient VPN application. You will be prompted to acknowledge that the software
does not come with any product support. Check the box and click I accept.

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Click on Configure VPN.

In this window, you will configure the VPN connection. In the Connection Name field, I chose to
name this connection “SSL-T-VPN”. For the Remote Gateway field, type in 192.168.1.1. tick
Customize port to 4433. You can leave all the other fields as they are. Click Save.

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


To connect to VPN, enter your username and password and click Connect.

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Testing:

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Verification:

On the FortiGate, go to Log & Report>Events>VPN Events. To Verify the logs related to VPN.

11 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

You might also like