Fortinet FortiGate v3.0 MR7 User Manual
Page 55
Configuring authenticated access
VPN authentication
FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828
55
To enable strong authentication for an SSL VPN
1
Go to VPN > SSL > Config.
2
Select Require Client Certificate, and then select Apply.
3
Go to Firewall > Policy.
4
Select the Edit icon in the row that corresponds to the firewall policy for traffic
generated by holders of the group certificate.
5
Select SSL Client Certificate Restrictive.
6
Select OK.
For information about how to create user accounts and user groups, see the
. For detailed information about configuring SSL
VPNs, se
Configuring authentication of VPN peers and clients
After the required server or group certificates and CA root certificates have been
installed on the VPN peers and clients, the peers and clients identify themselves
using those certificates when prompted by the FortiGate unit. The FortiGate unit
provides its public key to the remote peer or client so that the remote peer or client
can send encrypted messages to the FortiGate unit. Conversely, the remote peer
or client provides its public key to the FortiGate unit, which uses the key to encrypt
messages destined for the remote peer or client.
Configuring authentication of PPTP VPN users/user groups
To configure authentication for a PPTP VPN - web-based manager
1
Configure the users who are permitted to use this VPN. Create a user group and
add them to it.
For more information, see
“Users/peers and user groups” on page 33
.
2
Go to VPN > PPTP.
Figure 27: PPTP VPN Range settings
3
Select Enable PPTP.
Note: The SSL protocol requires that the FortiGate unit identify itself whenever a web
browser accesses the web portal login page through an HTTPS link. If you would like to
configure the FortiGate unit to identify itself using a CA-issued server certificate instead of
the factory-installed self-signed certificate, select the name of the signed server certificate
from the Server Certificate list on the SSL-VPN Settings page when you enable strong
authentication for SSL VPN users. The server certificate must be installed before you can
select it from the list. For more information about server certificates, see the
.