I Want to Set up SSL VPN Portal

When vendors need access to Nerdio for Private Cloud (NPC) network resources, or if users need to remotely access network resources from non-domain locations, you must setup a SSL VPN portal first in the Fortigate firewall.

There are five steps in the SSL VPN portal setup process for Nerdio for Private Cloud tenants.

Step I – Create the SSL VPN portal

Launch the Fortigate firewall management website and create a SSL VPN portal.

  1. Remote desktop in to one of the servers such as FS01.
  2. Launch a browser and log in to Nerdio Admin Portal (https://app.nerdio.net).
  3. From the main menu on the left side, click Network - Firewall.
  4. This will take you the Fortigate firewall management website.
  5. Within the firewall management website, go to VPN – SSL – Portals.
    SSLVPN1.png
  6. Click the Create New button to make a new portal. Fill in the below details (substituting info as appropriate):

    • Name: <ID> User Portal
    • Mark Enable Tunnel Mode
    • Mark Enable Split Tunneling
    • Routing Address: Select VLAN<ID>
      • This is the hosted resource the remote users will access. Select the appropriate destination, or select VLAN<ID> for all hosted network resources.
    • Source IP Pools: Select SSLVPN_TUNNEL_ADDR1
    • Client Options: Mark Save Password and Auto Connect
    • Mark Enable Web Mode
    • Portal Message: Nerdio <ID> SSL VPN Portal
    • Unmark Include Status Information
    • Unmark Include Connection Tool
    • Mark Include FortiClient Download
    • Mark Prompt Mobile Users to Download FortiClient Application
    • Unmark Include Login History
    • Mark Enable User Bookmarks
    • Mark Limit Users to One SSL-VPN Connection at a Time.
  7. Select OK to save the portal configuration.
    SSLVPN2.png
    Note: For Routing Address, if the desired destination is not listed in the available options, contact Nerdio Support to have the Address Object created.

Step II – Create user group

Create a user group permitted to access the SSL VPN portal.

  1. Within the firewall management website, go to User & Device – User – User Groups.
    SSLVPN3.png
  2. Click Create New to create a new user group. Fill in the below information:

    • Name: <ID> SSL VPN Users
    • Type: Choose Firewall
    • Members: Leave blank
    • Under Remote Groups, click Create New to open the LDAP browser and choose a group from Active Directory.
      • Remote Server: Select DC01
      • Search for the desired group – this may be a Security or Distribution Group created either via NAP or in Active Directory manually. In most cases, Domain Users will be appropriate for all user access.
      • Click on the desired group, then click Add Selected in the popup window to select the group.
      • Add any other desired groups
        SSLVPN4.png
    • Click OK, then OK to create the group.

Step III – Assign Portal to the User Group

Within the firewall management, go to VPN – SSL – Settings.

Under the Authentication / Portal Mapping section, click Create New:

  • Users/Groups: <Select the User Group created above>
  • Realm: Leave at the default ‘/’
  • Portal: <Select the SSL VPN portal created above>
  • Click OK to save

 

Select Apply at the bottom of the SSL Settings page to save the changes.


Step IV - Update or Create policy

Update policy if one is in place

1. Check your IPv4 Policies for a policy named "ssl.XXXX (VPN Interface)"  If this does exist, proceed to step 2, If this does not exist, please go to the next section to create a policy to enable the SSL VPN Portal

2.  Click the "edit" option for the ssl.XXXX (VPN Interface) policy 

3.  Clicking the green "+"  for "Source User(s)" will allow you to append groups and users to this existing policy.  Click OK to save after adding your desired users or groups. 

SSLVPN6.png

 

Note: if you updated your current policy, proceed to Step V

Create policy to enable the SSL VPN portal.

  1. Within the firewall management, go to Policy & Objects – IPv4 – Policy.
    SSLVPN5.png
  2. Click Create New to make a new policy. Fill in the below info (be sure to match the values created in the SSL VPN Portal and User Group above):

    • Incoming Interface: <ID> (SSL VPN interface)
    • Source Address: all
    • Source User(s): <ID> SSL VPN Users
    • Outgoing Interface: <ID>_int
    • Destination Address: VLAN<ID>
    • Schedule: always
    • Service: ALL
    • Action: ACCEPT
    • Unmark NAT, and all options under Security Profiles, Traffic Shaping, and Logging Options.
    • Comments: <ID> SSL VPN Portal
    • Mark Enable this policy
  3. Click OK to create the policy.

    SSLVPN6.png

Step V – Testing

Test and verify the SSL VPN portal.

Sign in to the new portal from a non-Nerdio desktop or server at https://vpn<ID>.nerdio.net:4434. Enter the domain username and password, and click Login. Once connected, there should be a prompt to install the FortiClient web browser extension to enable tunnel access through the web browser.

Users may also install the FortiClient (https://forticlient.com) and configure a new SSL VPN connection. Be sure to include the following information:

  • Server: vpn<ID>.nerdio.net
  • Port: 4434

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.