NOTE: These steps were performed on a Fortigate 60-D. The concepts are the same across all devices, the menus vary just slightly between models.
1. Configuring a VPN User Account
Log into the Fortigate and go to User & Device > User > User Definition and create a new user account:
2. Create Web Portal For End User
The main thing to note on this screen is the IP Pool. It will use a default SSLVPN pool as the addresses it uses for incoming VPN connections. You can modify the scope/subnet in Firewall Objects > Address > Addresses if the range conflicts with your network. Add a tagline, theme, layout as you prefer. It really depends on your users and not overloading them with options. On the larger Fortigate units, you can create multiple portal pages for different groups of users. For smaller customers, they typically use it for a VPN connection, and not much else.
3. Create a Security Policy
I typically create two security policies to accommodate the VPN traffic. Obviously, you can widen or narrow what your granting access to. In this example we are giving the remote user access to the entire LAN behind the Fortigate.
This is essentially the NONAT policy between the VPN subnet and destination internal network.
Under the Configure SSL-VPN Authentication Roles section, you can click the Create button to add the vpnuser we created initially. You can of course add a group and select the portal that user/group will see.
4. Certs, Timeouts, DNS
Confirm your IP Pool, Self-Signed cert is fine for now, and make sure your DNS servers specified are correct for your internal network. You’ll mostlikely want your users to resolve internal hostnames correctly.
5. Grab a beer