The SSL VPN client
The remote client connects to the SSL VPN tunnel in various ways, depending on the VPN configuration.
- Tunnel mode establishes a connection to the remote protected network that any application can use. If the client computer runs Microsoft Windows, they can download the tunnel mode client from the web portal.
If the client computer runs Linux or Mac OS X, the user needs to download the tunnel mode client application from the Fortinet Support web site. See the Release Notes for your FortiOS firmware for the specific operating system versions that are supported.
- The virtual desktop application creates a virtual desktop on a user’s PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the SSL VPN web portal. The browser file/directory operation is redirected to a new location, and the data is encrypted before it is written to the local disk. When the virtual desktop application exits normally, all the data written to the disk is removed. If the session terminates abnormally (power loss, system failure, etc.), the data left behind is encrypted and unusable to the user. The next time you start the virtual desktop, the encrypted data is removed.
FortiClient
Remote users can use the FortiClient software to initiate an SSL VPN tunnel to connect to the internal network.
FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. The FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.
FortiClient software is available for download at www.forticlient.com and is available for Windows, Mac OS X, Apple iOS, and Android.
Tunnel mode client configuration
The FortiClient SSL VPN tunnel client requires basic configuration by the remote user to connect to the SSL VPN tunnel. When distributing the FortiClient software, provide the following information for the remote user to enter once the client software has been started. Once entered, they can select Connect to begin an SSL VPN session.
Connection Name | If you have pre-configured the connection settings, select the connection from the list and then select Connect. Otherwise, enter the settings in the fields below. |
client Tunnel mode client
Remote Gateway | Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN. |
Username | Enter your username. |
Client Certificate | Use this field if the SSL VPN requires a certificate for authentication.
Select the required certificate from the drop-down list. The certificate must be installed in the Internet Explorer certificate store. |