FortiOS 5.2 VPN: SSL VPN remote browsing with LDAP authentication

The VPN will be tested using FortiClient on a mobile Android device.

The recipe assumes that an LDAP server has already been configured and connected on the FortiGate, containing the user ‘bwayne’. For instructions on configuring FortiAuthenticator as an LDAP server, see LDAP authentication for SSL VPN with FortiAuthenticator.

1. Creating the LDAP user group

From the FortiGate GUI, go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

Select the LDAP server under the Remote Server dropdown.

In the new Add Group Match window, select the desired group under the Groups tab, select Add Selected, and click OK.

The LDAP server has been added to the LDAP group.

2. Configuring the SSL VPN

Go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Authentication/Portal Mapping, select Create New.

Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

3. Creating the security policies for VPN access to the Internet

Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy.

Set Source User(s) to the LDAPgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

If it is not already available, create another policy allowing internal access to the Internet.

4. Results

On your Android smartphone, open the FortiClient app and create a new VPN.

Give the VPN a name (in the example, SSL to 121.56), and set the VPN Type to SSL VPN. Select Create.

The SSL VPN settings will appear. Set Server to the IP of the FortiGate (in the example, 172.20.121.56), and set the Port to 10443.

Set Username to the desired LDAP user (in the example, bwayne), and set the user’s password.

Return to FortiClient’s list of VPN Tunnels, and connect to the newly created SSL VPN.

If prompted, enter valid LDAP credentials.

User ‘bwayne’ is now connected to the SSL VPN tunnel and can securely browse the Internet.