When vendors need access to Nerdio for Private Cloud (NPC) network resources, or if users need to remotely access network resources from non-domain locations, you must setup a SSL VPN portal first in the Fortigate firewall.
There are five steps in the SSL VPN portal setup process for Nerdio for Private Cloud tenants.
Step I – Create the SSL VPN portal
Launch the Fortigate firewall management website and create a SSL VPN portal.
- Remote desktop in to one of the servers such as FS01.
- Launch a browser and log in to Nerdio Admin Portal (https://app.nerdio.net).
- From the main menu on the left side, click Network - Firewall.
- This will take you the Fortigate firewall management website.
- Within the firewall management website, go to VPN – SSL – Portals.
Click the Create New button to make a new portal. Fill in the below details (substituting info as appropriate):
- Name: <ID> User Portal
- Mark Enable Tunnel Mode
- Mark Enable Split Tunneling
- Routing Address: Select VLAN<ID>
- This is the hosted resource the remote users will access. Select the appropriate destination, or select VLAN<ID> for all hosted network resources.
- Source IP Pools: Select SSLVPN_TUNNEL_ADDR1
- Client Options: Mark Save Password and Auto Connect
- Mark Enable Web Mode
- Portal Message: Nerdio <ID> SSL VPN Portal
- Unmark Include Status Information
- Unmark Include Connection Tool
- Mark Include FortiClient Download
- Mark Prompt Mobile Users to Download FortiClient Application
- Unmark Include Login History
- Mark Enable User Bookmarks
- Mark Limit Users to One SSL-VPN Connection at a Time.
- Select OK to save the portal configuration.
Note: For Routing Address, if the desired destination is not listed in the available options, contact Nerdio Support to have the Address Object created.
Step II – Create user group
Create a user group permitted to access the SSL VPN portal.
- Within the firewall management website, go to User & Device – User – User Groups.
Click Create New to create a new user group. Fill in the below information:
- Name: <ID> SSL VPN Users
- Type: Choose Firewall
- Members: Leave blank
- Under Remote Groups, click Create New to open the LDAP browser and choose a group from Active Directory.
- Remote Server: Select DC01
- Search for the desired group – this may be a Security or Distribution Group created either via NAP or in Active Directory manually. In most cases, Domain Users will be appropriate for all user access.
- Click on the desired group, then click Add Selected in the popup window to select the group.
- Add any other desired groups
- Click OK, then OK to create the group.
Step III – Assign Portal to the User Group
Within the firewall management, go to VPN – SSL – Settings.
Under the Authentication / Portal Mapping section, click Create New:
- Users/Groups: <Select the User Group created above>
- Realm: Leave at the default ‘/’
- Portal: <Select the SSL VPN portal created above>
- Click OK to save
Select Apply at the bottom of the SSL Settings page to save the changes.
Step IV - Update or Create policy
Update policy if one is in place
1. Check your IPv4 Policies for a policy named "ssl.XXXX (VPN Interface)" If this does exist, proceed to step 2, If this does not exist, please go to the next section to create a policy to enable the SSL VPN Portal
2. Click the "edit" option for the ssl.XXXX (VPN Interface) policy
3. Clicking the green "+" for "Source User(s)" will allow you to append groups and users to this existing policy. Click OK to save after adding your desired users or groups.
Note: if you updated your current policy, proceed to Step V
Create policy to enable the SSL VPN portal.
- Within the firewall management, go to Policy & Objects – IPv4 – Policy.
Click Create New to make a new policy. Fill in the below info (be sure to match the values created in the SSL VPN Portal and User Group above):
- Incoming Interface: <ID> (SSL VPN interface)
- Source Address: all
- Source User(s): <ID> SSL VPN Users
- Outgoing Interface: <ID>_int
- Destination Address: VLAN<ID>
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Unmark NAT, and all options under Security Profiles, Traffic Shaping, and Logging Options.
- Comments: <ID> SSL VPN Portal
- Mark Enable this policy
- Click OK to create the policy.
Step V – Testing
Test and verify the SSL VPN portal.
Sign in to the new portal from a non-Nerdio desktop or server at https://vpn<ID>.nerdio.net:4434. Enter the domain username and password, and click Login. Once connected, there should be a prompt to install the FortiClient web browser extension to enable tunnel access through the web browser.
Users may also install the FortiClient (https://forticlient.com) and configure a new SSL VPN connection. Be sure to include the following information:
- Server: vpn<ID>.nerdio.net
- Port: 4434