FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 26 - SSL VPN > The SSL VPN web portal > Portal configuration

Portal configuration

The SSL VPN web portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.

The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user - Session Information, Tunnel Mode options, Connection Launcher, Remote Desktop, and Predefined Bookmarks.
  • tunnel-access: Includes Session Information and Tunnel Mode options.
  • web-access: Includes Session Information and Predefined Bookmarks widgets.

You can also create your own web portal to meet your corporate requirements.

Portal page
Create New Creates a new web portal.
Edit Select a portal from the list to enable the Edit option, and modify the portal configuration.
Delete Removes a portal configuration.

To remove multiple portals from the list, select the check box beside the portal names, then select Delete.
Name The name of the web portal.
Ref. Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies.

To view the location of the referenced object, select the number in Ref. column.

To view more information about how the object is used, select one of:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with.

View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.

Portal settings

A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL-VPN Portals.

The following settings are available, allow you to configure general and security console options for your web portal.

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

  Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.
  Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
  Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

  • Allow client to save password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.
  • Allow client to connect automatically - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.
  • Allow client to keep connections alive - When enabled, if the user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).
Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.

Predefined Bookmarks

Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, RDP, and VNC pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C
FortiGate-Rugged 90D
FortiWiFi 92D

A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

Applications available in the web portal

Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Predefined Bookmarks, as well as the Quick Connection widget:

  • Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
  • FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.
  • HTTP/HTTPS accesses web pages.
  • Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server.
  • RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
  • SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
  • SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
  • TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
  • VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.

Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.

note icon Windows file sharing through SMB/CIFS is supported through shared directories.

Implementing post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referer in the HTTP request header in order to prevent a Cross-Site Request Forgery (CSRF) attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end