AnsweredHot!SSL VPN tunnel mode with 2 different portals

Author
AdiMizil
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/28 13:01:17
  • Status: offline
2020/01/15 06:37:44 (permalink)
0

SSL VPN tunnel mode with 2 different portals

Hi everyone,


I have a Fortigate 80E running on 6.2.3 . I have configured SSL VPN for remote users access, installed signed certificate and tested  - running ok . Tunnel mode & web mode both OK.

Then I configured 2 Portals :

1st  is for Admins (tunnel and web) - there is a  IPv4 policy in place which grants them access to all the subnets and another one for Internet Access. User accounts are created locally on the firewall.

2nd is for Corprorate users access  which are authenticating against a RADIUS server. There is a dedicated IPv4 policy in place which grants them access to required internal resources and another one for Internet access.  


Issue: ALL users are authenticated against 1st portal from the list - RA management portal and IP addresses are assigned from RA for Admins Pool. ( both scenarios  tested - Forticlient or Web based VPN).


Any ideea how can I have dedicated portals for each group ?


 
Kind regards,
Adi
#1
emnoc
Expert Member
  • Total Posts : 5508
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL VPN tunnel mode with 2 different portals 2020/01/15 14:54:54 (permalink) ☼ Best Answerby AdiMizil 2020/02/15 01:02:10
0
have you looked at realms? This should give you want you need.
 
https://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
 
I like to use them just for what you describe for separation of protals and auth rules. Or for different language support for web-portals.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#2
commutator
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/20 07:33:21
  • Status: offline
Re: SSL VPN tunnel mode with 2 different portals 2020/01/26 10:44:32 (permalink) ☄ Helpfulby AdiMizil 2020/01/28 11:20:19
0
You've probably resolved this, but let me add one point. We do the same thing as you're trying but we use different URL and realm for each portal as already pointed out. We also use separate IP pools but that's just for logging purposes. We use group membership on the policies to control access. I don't think you can use the client IP's in your policies successfully - and if you can I'd really like to talk to you about that! I've spent a bunch of time experimenting with no success on that.
 
FYI, we had to upgrade from 5.4.8 to 6.0 to get the group membership on policies to be evaluated properly. I know nothing about whether it works in 6.2. I hope so because we'll need it when we go to 6.2.
 
...Fred
post edited by commutator - 2020/01/26 10:48:37
#3
AdiMizil
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/28 13:01:17
  • Status: offline
Re: SSL VPN tunnel mode with 2 different portals 2020/01/28 03:39:48 (permalink)
0
@ Ken  and Fred - thanks to pointing me to this approach. I will need web and tunnel for 1st portal and tunnel for 2nd portal - users. 
@ Ken - congratulations for you blog, it's impressive ! Thanks for sharing all that knowledge with everyone.
 
Up to this moment I couldn't do any tests as the FW is in production , but I will give a try as I haven't configured HA and I still  have a 80E available. 
 
Kind regards, 
Adi
post edited by AdiMizil - 2020/01/28 03:45:22
#4
AdiMizil
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/28 13:01:17
  • Status: offline
Re: SSL VPN tunnel mode with 2 different portals 2020/02/15 01:04:16 (permalink)
0
That was easy, if you know what you have to do !
 
Firewall rules are very important, I had to create 2 for each realm , one for Internet access and one for internal corporate access. 
 
Works on FortiOs 6.2.3 with  a HA cluster on 80E. 
 
Kind regards, 
Adi 
post edited by AdiMizil - 2020/02/15 01:05:17
#5
Jump to:
© 2020 APG vNext Commercial Version 5.5