AdminToolbox.FortiWizard

1.1.0.0

Public/Write-SSLVPNConfig.ps1

                                Function Write-SSLVPNConfig {

    <#

    .Description

    Creates a Fortigate Config Script for a simple SSL Client VPN implementation.

    .Parameter CommaSeperatedDNSSuffixes

    DNS Suffixes for Split DNS

    .Parameter DNofParentOU

    Distinguished Name of the Top Level OU for the authenticating Domain

    .Parameter DNSServerIP

    IPv4 address of the DNS server used by the SSLVPN clients

    .Parameter InternalLanSubnetMask

    Subnet mask of the LANIP to be accessed ex: 255.255.255.0

    .Parameter InternalLanIP

    IP Address thats matches the Host Minimum for the Subnet

    .Parameter LanInterfaceName

    Name of the LAN interface containing the to be accessed Subnet

    .Parameter LDAPServerFriendlyName

    Friendly Name for referencing the LDAP authentication server

    .Parameter ServiceAccountPassword

    Password of the Authenticating service account

    .Parameter ServiceAccountsAMAccountName

    sAMAccountName for the service account that will authenticate to the LDAP server. The Service account should have domain adming privleges and be denied logon locally

    .Parameter WanInterfaceName

    Name of the WAN interface where the incoming sslvpn Connections should originate.

    .Example

    $Params = @{

    CommaSeperatedDNSSuffixes    = "domain.com,domain2.com"

    DNofParentOU                 = "DC=domain,DC=COM"

    DNSServerIP                  = "192.168.0.1"

    InternalLanIP                = "192.168.0.0"

    InternalLanSubnetMask        = "255.255.255.0"

    LanInterfaceName             = "port2"

    LDAPSERVERFriendlyName       = "DomainLdap"

    ServiceAccountPassword       = "Password"

    ServiceAccountsAMAccountName = "fortigate"

    WanInterfaceName             = "port1"

    }

    Write-SSLVPNConfig @Params

    .Link

    https://github.com/TheTaylorLee/FortiWizard/tree/main/docs

    #>

    [CmdletBinding()]

    Param (

        [Parameter(Mandatory = $true)]$CommaSeperatedDNSSuffixes,

        [Parameter(Mandatory = $true)]$DNofParentOU,

        [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$DNSServerIP,

        [Parameter(Mandatory = $true)][ValidateScript( {

                if ($_ -match '^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$') {

                    $true

                }

                else {

                    throw "$_ is an invalid pattern. You must provide a subnet mask and not a prefix."

                }

            })]$InternalLanSubnetMask,

        [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$InternalLanIP,

        [Parameter(Mandatory = $true)]$LanInterfaceName,

        [Parameter(Mandatory = $true)]$LDAPServerFriendlyName,

        [Parameter(Mandatory = $true)]$ServiceAccountPassword,

        [Parameter(Mandatory = $true)]$ServiceAccountsAMAccountName,

        [Parameter(Mandatory = $true)]$WanInterfaceName

    )

    Write-Output "

#initial setup for enabling the Forticlient VPN Config

config user ldap

    edit ""$LDAPSERVERFriendlyName""

        set server $DNSServerIP

        set cnid sAMAccountName

        set dn ""$DNofParentOU""

        set type regular

        set username ""$ServiceAccountsAMAccountName""

        set password $ServiceAccountPassword

    next

end

config user group

    edit SSLVPNUsers

        set member ""$LDAPSERVERFriendlyName""

    next

end

config firewall address

    edit SSLVPN_TUNNEL_ADDR1

        set type iprange

        set associated-interface ssl.root

        set start-ip 10.212.134.1

        set end-ip 10.212.134.254

    next

end

config firewall address

    edit SSLVPN_InternalLan

        set visibility disable

        set subnet $InternalLanIP $InternalLanSubnetMask

    next

end

config vpn ssl web portal

    delete full-access

    delete web-access

    edit tunnel-access

        set tunnel-mode enable

        set ip-pools SSLVPN_TUNNEL_ADDR1

        set ipv6-tunnel-mode disable

        config split-dns

        edit 1

            set domains ""$CommaSeperatedDNSSuffixes""

            set dns-server1 $DNSServerIP

        next

        end

    next

    edit no-access

        set forticlient-download disable

    next

end

config vpn ssl settings

    set ssl-min-proto-ver tls1-0

    set idle-timeout 43200

    set auth-timeout 43200

    set tunnel-ip-pools SSLVPN_TUNNEL_ADDR1

    set dns-server1 $DNSServerIP

    set source-interface ""$WanInterfaceName""

    set source-address all

    set source-address6 all

    set default-portal no-access

    set port 10443

    config authentication-rule

        edit 1

            set groups SSLVPNUsers

            set portal tunnel-access

        next

    end

end

config firewall policy

    edit 0

        set name SSLVPN

        set srcintf ssl.root

        set dstintf ""$LanInterfaceName""

        set srcaddr all

        set dstaddr SSLVPN_InternalLan

        set action accept

        set schedule always

        set service ALL

        set utm-status enable

        set ssl-ssh-profile no-inspection

        set ips-sensor default

        set nat enable

        set groups SSLVPNUsers

    next

end"

}