The SSL VPN Service portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.
The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.
There are three pre-defined default web portal configurations available:
- full-access: Includes all widgets available to the user - Session Information, Tunnel Mode, Connection Tool, FortiClient Download, Remote Desktop, and My Bookmarks.
- tunnel-access: Includes Session Information and Tunnel Mode widgets.
- web-access: Includes Session Information and My Bookmarks widgets.
You can also create your own web portal to meet your corporate requirements.
This topic includes the following:
|Create New||Creates a new web portal.|
|Edit||Select a portal from the list to enable the Edit option, and modify the portal configuration.|
|Delete||Removes a portal configuration.
To remove multiple portals from the list, select the check box beside the portal names, then select Delete.
|Name||The name of the web portal.|
|Ref.||Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies.
To view the location of the referenced object, select the number in Ref. column.
To view more information about how the object is used, select one of:
View the list page for these objects – automatically redirects you to the list page where the object is referenced at.
Edit this object – modifies settings within that particular setting that the object is referenced with.
View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.
|Portal Settings page|
|Edit Settings window||Provides general, virtual desktop and security control settings for the SSL VPN Service portal page. This window appears when you select Settings. This window also appears whenever you select Create New and are automatically redirected to the Portal Settings page. For more information, see Portal settings.|
|Settings||Select to edit the settings for the SSL VPN web portal. See Portal configuration.|
|Widgets||The widgets that will appear on the SSL VPN Service page. You can add widgets from the Add Widgets drop-down list. For more information, see Portal widgets.|
|Add Widget||Select to add a new widget to the page.|
|Session Information||Displays basic information of the current session of the logged in user. For more information, see Session Information .|
|Bookmarks||Displays configured bookmarks, allows for the addition of new bookmarks and editing of existing bookmarks. For more information, see Bookmarks.|
|Connection Tool||Enter the URL or IP address for a connection tool application/server (selected when configuring the Connection Tool). You can also check connectivity to a host or server on the network behind the unit by selecting the Type Ping. For more information, see Connection Tool.|
|Tunnel Mode||Displays tunnel information and actions in user mode. The administrator can configure a split-tunneling option. For more information, see Tunnel Mode.|
A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL > Portals.
The Settings Window provides settings for configuring general, virtual desktop and security console options for your web portal.
The virtual desktop options, available for Windows XP and Windows Vista client PCs, are configured to completely isolate the SSL VPN session from the client computer’s desktop environment. All data is encrypted, including cached user credentials, browser history, cookies, temporary files, and user files created during the session. When the SSL VPN session ends normally, the files are deleted. If the session ends unexpectedly, any files that may remain will be encrypted.
Virtual desktop requires the Fortinet host check plugin. If the plugin is not present, it is automatically downloaded to the client computer.
Security control options provide cache cleaning and host checking to the clients of your web portal. Cache cleaning clears information from the client browser cache just before the SSL VPN session ends. The cache cleaner is effective only if the session terminates normally. The cache is not cleaned if the session ends unexpectedly.
Host checking enforces the client’s use of antivirus or firewall software. Each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for specific security software selected from the Host Check list. For more information, see Basic configuration.
Edit Settings Window
|Name||Enter a name for the web portal configuration.|
|Applications||Select the server applications or network services clients can use.|
|Portal Message||Enter the caption that appears at the top of the web portal home page when the user logs in.|
|Theme||Select the color scheme for the web portal home page.|
|Page Layout||Select the one or two page column format for the web portal home page.|
|Redirect URL||Enter the URL that the web portal displays when the web portal home page is displayed.|
|Virtual Desktop tab|
|Enable Virtual Desktop||Select to enable the virtual desktop.|
|Allow switching between virtual desktop and regular desktop||Select to allow users to switch between the virtual desktop, and their regular desktop.|
|Allow clipboard contents to be shared with regular desktop||Select to allow users access to the clipboard contents when they are using the regular desktop.|
|Allow use of removable media||Select to allow users to access removable media.|
|Allow network share access||Select to allow users to have access to network resources.|
|Allow printing||Select to allow users to print from the virtual desktop.|
|Quit the virtual desktop and logout session when browser is closed||Select to have the virtual desktop close and log the user out of the current session whenever the browser is closed.|
|Application Control List||Select a virtual desktop application list from the drop-down list.|
|Security Control tab|
|Clean Cache||Select to have the unit remove residual information from the remote client computer just before the SSL VPN session closes.|
|Host Check||Select any host checking that is required before the user can log into the portal. Host checks will verify if the user has the required antivirus software or applications. If the user does not, the log in will be denied.
Host Check is applicable for both SSLVPN Web Mode and SSLVPN Tunnel mode.
For more information, see Basic configuration.
|Interval||Enter how often to recheck the host for updates and changes in seconds.|
|Policy||This is available when the Host Check selection is Custom. Select the specific host check software to look for.
Select Edit to modify the policy settings.
Portal widgets are widgets hold the content the user logging into the portal will see.
The Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.
A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.
Use the Connection Tool widget to connect to a network resource without adding a bookmark to the bookmark list. You select the type of resource and specify the URL or IP address of the host computer.
If your web portal provides tunnel mode access, you need to configure the Tunnel Mode widget. These settings determine how tunnel mode clients are assigned IP addresses. You can also enable a split tunneling configuration so that the VPN carries only the traffic for the networks behind the unit. The user’s other traffic follows its normal route.
Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Bookmarks or the Connection Tool:
- Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
- FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.
- HTTP/HTTPS accesses web pages.
- Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server.
- RDP/RDP Native (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
- SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
- SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
- TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
- VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.
Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.
|RDP Native, in some instances, may not be supported. If this is the case, use Internet Explorer and disable ActiveX Filtering.|
|Windows file sharing through SMB/CIFS is supported through shared directories.|