FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 27 - SSL VPN > Basic configuration > Additional configuration options

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route - web-based manager:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.
To add the tunnel mode route - CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static

edit <id>

set device ssl.root

set dst 10.11.254.0/24

end

DTLS tunneling to improve upload/download speed

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS tunneling implementation avoids TCP over TCP issues and can improve throughput. DTLS support can be enabled in the CLI as described below:

To configure DTLS tunneling - CLI:

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://<FortiGate_IP_address>:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port - web-based manager:
  1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
  2. Go to VPN > SSL-VPN Settings.
  3. Type an unused port number in the Listen on Port field and select Apply.
To change the SSL VPN port - CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings

set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

  • SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
  • SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port - CLI:

config vpn ssl settings

set https-redirect [enable | disable] (default: disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Additional configuration options.

The Host Check list includes default entries for many security software products.

note icon Host integrity checking is only possible with client computers running Microsoft Windows platforms.
To configure host checking - CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal

edit full-access

set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal

edit full-access

set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the web-based manager or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message - web-based manager:
  1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.
    If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.
To replace the host check error message - CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software

edit <software_name>

set guid <guid_value>

set type <av | fw>

set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Host Check is applicable for both SSLVPN Web Mode and SSLVPN Tunnel mode.

Windows OS check

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

The following example shows you how to add an OS check to the ‘g1portal’ web portal. This OS check accepts all Windows XP users and Windows 2000 users running patch level 3.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

config vpn ssl web portal

edit g1portal

set os-check enable

config os-check-list windows-2000

set action check-up-to-date

set latest-patch-level 3

set tolerance 1

end

config os-check-list windows-xp

set action allow

end

end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

  • KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile
  • ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software

edit "Microsoft-Windows-Firewall"

config check-item-list

edit 1

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

set type registry

next

edit 2

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"

set type registry

next

edit 3

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"

set type registry

next

end

set type fw

next

set host-check custom

set host-check-policy Microsoft-Windows-Firewall

Configuring virtual desktop

Available for 32-bit Windows XP, Windows Vista, and Windows 7 client PCs, the virtual desktop feature completely isolates the SSL VPN session from the client computer’s desktop environment. All data is encrypted, including cached user credentials, browser history, cookies, temporary files, and user files created during the session. When the SSL VPN session ends normally, the files are deleted. If the session ends due to a malfunction, files might remain, but they are encrypted so that the information is protected.

When the user starts an SSL VPN session that has virtual desktop enabled, the virtual desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s normal desktop is restored.

Virtual desktop requires the Fortinet cache cleaner plugin. If the plugin is not present, it automatically downloads to the client computer.

To enable virtual desktop :

To enable virtual desktop on the full-access portal and apply the application control list ‘List1’, for example, you would enter:

config vpn ssl web portal

edit full-access

set virtual-desktop enable

set virtual-desktop-app-list List1

end

Configuring virtual desktop application control

You can control which applications users can run on their virtual desktop. To do this, you create an Application Control List of either allowed or blocked applications. When you configure the web portal, you select the list to use.

Configure the application control list in the CLI.

To create an Application Control List - CLI:

If you want to add ‘BannedApp’ to ‘List1’, a list of blocked applications, you would enter:

config vpn ssl web virtual-desktop-app-list

edit "List1"

set action block

config apps

edit "BannedApp"

set md5s "06321103A343B04DF9283B80D1E00F6B"

end

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista or Windows 7 operating system. You can configure the OS Check to do any of the following:

  • Allow the client access.
  • Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
  • Deny the client access.

The OS Check has no effect on clients running other operating systems.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal

edit <portal_name>

set os-check enable

config os-check-list {windows-2000 | windows‑xp | windows‑vista | windows-7}

set action {allow | check-up-to-date | deny}

set latest-patch-level {disable | 0 - 255}

set tolerance {tolerance_num}

end

end

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients - web-based manager:
  1. Go to VPN > SSL-VPN Settings.
  2. Next to DNS Server select Specify.
  3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  5. Select Apply.
To specify WINS and DNS services for clients - CLI:

config vpn ssl settings

set dns-server1 <address_ipv4>

set dns-server2 <address_ipv4>

set wins-server1 <address_ipv4>

set wins-server2 <address_ipv4>

end

Setting the idle timeout setting

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout - web-based manager:
  1. Go to VPN > SSL-VPN Settings and enable Idle Logout.
  2. In the Inactive For field, enter the timeout value.

The valid range is from 10 to 28800 seconds.

  1. Select Apply.
To set the idle timeout - CLI:

config vpn ssl settings

set idle-timeout <seconds_int>

end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity. For more information on configuring logs on the FortiGate unit, see the Logging and Reporting Guide.

To enable logging of SSL VPN events - web-based manager:
  1. Go to Log & Report > Log Settings.
  2. Enable Event Logging, and select VPN activity event.
  3. Select Apply.

To view the SSL VPN log data, in the web-based manager, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs - web-based manager:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

  1. Unzip the file downloaded from the CA.
    There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.
  2. Log in to your FortiGate unit and browse to System > Certificates.
  3. Select Create New > Local Certificate to import the local certificate.
    The status of the certificate will change from PENDING to OK.
  4. Import the CA certificate by selecting Import > CA Certificate.
    It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

  1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
  2. In the Connection Settings section, locate the Server Certificate field.
  3. Select the new certificate from the drop-down menu.
  4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a Cross-Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is now supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It is similar to the Transport Layer Security (TLS) protocol. DTLS support can be enabled in the CLI as described below.

Syntax

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses is enabled in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.