Please enable JavaScript.
Coggle requires JavaScript to display documents.
Day 18 – SSL VPN (Remote Access VPN) - Coggle Diagram
Day 18 – SSL VPN (Remote Access VPN)
SSL VPN Overview
What is SSL VPN
Secure remote access for users over the Internet
Uses SSL/TLS encryption (HTTPS)
User-to-network VPN
Why SSL VPN is Needed
Remote work access
Secure encrypted communication
Authentication-based access
No dedicated WAN links required
Works through firewalls using TCP 443
SSL VPN vs Site-to-Site VPN
SSL VPN connects individual users
IPsec site-to-site connects entire networks
SSL VPN uses client software
IPsec uses firewall appliances
SSL VPN Deployment Modes
Tunnel Mode (Primary Focus)
Creates virtual network adapter on client
Uses FortiClient software
Full access to internal network
How Tunnel Mode Works
User launches FortiClient
SSL tunnel is established
Virtual adapter is created
Internal traffic flows through tunnel
Benefits of Tunnel Mode
More secure than web mode
Supports all applications
Industry-standard remote access
SSL VPN Portals
What is an SSL VPN Portal
Defines user access permissions
Controls routing behavior
Assigned per user or user group
Portal Configuration Components
Enable tunnel mode
Enable or disable web mode
Configure split tunneling
Split Tunneling (Policy-Based Destination)
Only selected internal subnets go through VPN
Internet traffic goes directly to Internet
Reduces VPN bandwidth usage
Web Mode
Browser-based access to resources
Limited functionality
Best practice is to disable unless required
IP Pools for SSL VPN
What is an IP Pool
Virtual IP address range for VPN users
Assigned dynamically when users connect
Why IP Pools Are Required
Users need an internal IP address
Required for routing and firewall policies
Prevents IP conflicts
IP Pool Best Practices
Use dedicated subnet
Avoid overlap with LAN networks
Document IP pool usage
SSL VPN Settings
SSL VPN Listener
Defines where VPN connections are accepted
Typically WAN interface
Listener Parameters
Interface (WAN)
Port (Default TCP 443)
SSL certificate for encryption
Authentication realm
Authentication Realms
Controls who can connect
Local users
LDAP or Active Directory users
RADIUS authentication
Firewall Policies for SSL VPN
Why Firewall Policies Are Required
VPN connection alone does not allow traffic
Firewall must explicitly permit traffic
Required Firewall Policies
SSL VPN interface to LAN
Optional LAN to SSL VPN
Common Firewall Policy Issues
Wrong source interface
Incorrect address objects
Missing logging
Best Practices
Restrict access to required resources
Enable logging
Apply least-privilege access
FortiClient Usage
What is FortiClient
Endpoint software for SSL VPN
Creates secure tunnel to FortiGate
FortiClient Connection Steps
Install FortiClient
Configure SSL VPN profile
Enter VPN gateway IP and port
Authenticate with username and password
Virtual adapter receives IP from pool
After Connection
Access file servers
Access RDP and internal applications
Traffic is fully encrypted
Troubleshooting SSL VPN
Routing Issues
VPN connects but cannot reach internal network
Missing routes
Incorrect split tunnel configuration
Permission Issues
Firewall policy blocking traffic
Wrong source or destination objects
Security profiles blocking traffic
Portal Issues
Wrong portal assigned to user
Tunnel mode disabled
Incorrect destination subnets
RAP Troubleshooting Method
Routing – check routing table
Addressing – verify IP pool and subnets
Permissions – verify firewall policies
Useful Checks
SSL VPN logs
FortiClient logs
Firewall policy hit counters
Routing table verification