An SSL VPN web portal enables users to access network resources through a secure channel using a web browser.
System administrators can configure log in privileges for users and which network resources are available to these users. The portal configuration determines what the user sees when they log in to the portal. Both system administrators and the users have the ability to customize the SSL VPN portal.
There are three predefined default web portal configurations available:
l full-access: connecting clients can either access protected resources through the SSL VPN web portal, or use FortiClient to connect through tunnel mode.
l tunnel-access: connecting clients can only access protected resources with FortiClient connecting through tunnel mode.
l web-access: connecting clients can only access protected resources through the SSL VPN web portal.
Custom web portals can also be configured.
To configure a custom web portal:
1. Go toVPN > SSL-VPN Portalsand clickCreate New.
2. Configure the following settings as needed:
GUI option Description
Name Enter the portal name.
Limit Users to One SSL-VPN Connection at a Time This option is disabled by default. When enabled, once a user logs in to the portal, they cannot go to another system and log in with the same credentials again.
Tunnel Mode
Split tunneling There are three options:
l Disabled: all client traffic will be directed over the SSL VPN tunnel.
l Enabled Based on Policy Destination: only client traffic where the destination matches the destination of the configured firewall policies will be directed over the SSL VPN tunnel.
l Enabled for Trusted Destinations: only client traffic that does not match explicitly trusted destinations will be directed over the SSL VPN tunnel.
Routing Address Override WhenSplit tunnelingis set toEnabled Based on Policy Destination, the IPv4 firewall address selected
overrides the firewall policy destination addresses to control split tunnel access.
WhenSplit tunnelingis set toEnabled for Trusted Destinations, the IPv4 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.
Source IP Pools Select an IP pool for users to acquire an IP address when connecting to the portal.
IPv6 Tunnel Mode When enabled, these settings determine how tunnel
mode clients are assigned IPv6 addresses.
IPv6 split tunneling The same three options are available as inTunnel Mode.
GUI option Description IPv6 Routing Address
Override
WhenSplit tunnelingis set toEnabled Based on Policy Destination, the IPv6 firewall address selected
overrides the firewall policy destination addresses to control split tunnel access.
WhenSplit tunnelingis set toEnabled for Trusted Destinations, the IPv6 firewall address selected becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.
Source IPv6 Pools Select an IP pool for users to acquire an IP address when connecting to the portal.
Tunnel Mode Client Options The following options affect how FortiClient behaves when connected to the VPN tunnel.
Allow client to save password
When enabled and if the user selects this option, their password is stored on the their computer and will automatically populate each time they connect to the VPN.
Allow client to connect automatically
When enabled and if the user selects this option, when FortiClient launches (such as after a reboot or system start up), FortiClient will automatically attempt to connect to the VPN.
Allow client to keep connections alive
When enabled and if the user selects this option, FortiClient will try to reconnect once it detects that the VPN connection is unexpectedly down (not manually disconnected by the user).
DNS Split Tunneling When enabled, theSplit DNStable is visible, where new DNS entries can be created. SeeSSL VPN split DNS on page 2121for more details.
Host Check When enabled, the type of host checking performed on
endpoints can be configured (seeConfiguring OS and host check on page 2243).
Type There are three options:
l Realtime AntiVirus: check for antivirus software recognized by the Windows Security Center.
l Firewall: check for firewall software recognized by the Windows Security Center.
l Enable both: check for antivirus and firewall software recognized by the Windows Security Center.
GUI option Description
Restrict to Specific OS Versions When enabled, access to certain operating systems can be denied or forced to check for an update. By default, all operating systems in the table are allowed (seeConfiguring OS and host check on page 2243).
Web Mode Enable this option to configure the web portal settings.
Portal Message Enter a message that appears at the top of the web portal screen (default =SSL-VPN Portal).
Theme Select a color theme from the dropdown.
Show Session Information Enable to display session information in the top banner of the web portal (username, amount of time logged in, and traffic statistics).
Show Connection Launcher
Enable to display theQuick Connectionbutton.
Show Login History Enable to display the user's login history (History).
User Bookmarks Enable to allow users to add their own bookmarks (New Bookmark).
Rewrite Content IP/UI/ Enable contents rewrite for URIs containingIP- address/ui/.
RDP/VNC clipboard Enable to support RDP/VPC clipboard functionality.
Predefined Bookmarks Use the table to create and edit predefined bookmarks.
SeeTo create a predefined administrator bookmark in FortiOS: on page 2133for more details.
FortiClient Download Enable this option to display theDownload FortiClient button.
Download Method Select eitherDirectorSSL-VPN Proxyas the method to download FortiClient.
Customize Download Location
Enable to configure a custom download location for WindowsorMac.
3. ClickOK.
By default, the browser's language preference is automatically detected and used by the SSL VPN portal login page. The system language can still be used by changing the settings on the SSL-VPN Settingspage of the GUI, or disabling browser-language detection in the CLI. See Showing the SSL VPN portal login page in the browser's language on page 2141for more details.