Public/Write-SSLVPNConfig.ps1
Function Write-SSLVPNConfig { <# .Description Creates a Fortigate Config Script for a simple SSL Client VPN implementation. .Parameter CommaSeperatedDNSSuffixes DNS Suffixes for Split DNS .Parameter DNofParentOU Distinguished Name of the Top Level OU for the authenticating Domain .Parameter DNSServerIP IPv4 address of the DNS server used by the SSLVPN clients .Parameter InternalCIDR CIDR Address for the allowed LAN subnet .Parameter SSLClientCIDR CIDR Address for the subnet being handed out to SSLVPN Clients .Parameter LanInterfaceName Name of the LAN interface containing the to be accessed Subnet .Parameter LDAPServerFriendlyName Friendly Name for referencing the LDAP authentication server .Parameter ServiceAccountPassword Password of the Authenticating service account .Parameter ServiceAccountsAMAccountName sAMAccountName for the service account that will authenticate to the LDAP server. The Service account should have domain adming privleges and be denied logon locally .Parameter WanInterfaceName Name of the WAN interface where the incoming sslvpn Connections should originate. .Example $Params = @{ CommaSeperatedDNSSuffixes = "domain.com,domain2.com" DNofParentOU = "DC=domain,DC=COM" DNSServerIP = "192.168.0.1" InternalCIDR = "192.168.56.0/24" SSLClientCIDR = "10.212.134.0/24" LanInterfaceName = "port2" LDAPSERVERFriendlyName = "DomainLdap" ServiceAccountPassword = "Password" ServiceAccountsAMAccountName = "fortigate" WanInterfaceName = "port1" } Write-SSLVPNConfig @Params .Example New-SSHSession -computername 192.168.0.1 $Params = @{ CommaSeperatedDNSSuffixes = "domain.com,domain2.com" DNofParentOU = "DC=domain,DC=COM" DNSServerIP = "192.168.0.1" InternalCIDR = "192.168.56.0/24" SSLClientCIDR = "10.212.134.0/24" LanInterfaceName = "port2" LDAPSERVERFriendlyName = "DomainLdap" ServiceAccountPassword = "Password" ServiceAccountsAMAccountName = "fortigate" WanInterfaceName = "port1" } $command = Write-SSLVPNConfig @Params $result = Invoke-SSHCommand -Command $command -SessionId 0 $result.output This example generates an SSH session and invokes the output of this function against that session. .Example New-SSHSession -computername 192.168.0.1 New-SSHSession -computername 192.168.1.1 $Params = @{ CommaSeperatedDNSSuffixes = "domain.com,domain2.com" DNofParentOU = "DC=domain,DC=COM" DNSServerIP = "192.168.0.1" InternalCIDR = "192.168.56.0/24" SSLClientCIDR = "10.212.134.0/24" LanInterfaceName = "port2" LDAPSERVERFriendlyName = "DomainLdap" ServiceAccountPassword = "Password" ServiceAccountsAMAccountName = "fortigate" WanInterfaceName = "port1" } $command = Write-SSLVPNConfig @Params $sessions = Get-SSHSession foreach ($session in $sessions) { Write-Output "Invoking Command against $session.host" $result = Invoke-SSHCommand -Command $command -SessionId $session.sessionID $result.output } This example generates multiple SSH sessions and invokes the output of this function against all active sessions. .Link https://github.com/TheTaylorLee/FortiWizard/tree/main/docs #> [CmdletBinding()] Param ( [Parameter(Mandatory = $true)]$CommaSeperatedDNSSuffixes, [Parameter(Mandatory = $true)]$DNofParentOU, [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$DNSServerIP, [ValidateScript( { if ($_ -match '^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[/]{1}[0-9]{2}$') { $true } else { throw "$_ is an invalid pattern. You must provide a proper CIDR format. ex: 192.168.0.0/24" } })] $InternalCIDR, [ValidateScript( { if ($_ -match '^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[/]{1}[0-9]{2}$') { $true } else { throw "$_ is an invalid pattern. You must provide a proper CIDR format. ex: 192.168.0.0/24" } })] $SSLClientCIDR, [Parameter(Mandatory = $true)]$LanInterfaceName, [Parameter(Mandatory = $true)]$LDAPServerFriendlyName, [Parameter(Mandatory = $true)]$ServiceAccountPassword, [Parameter(Mandatory = $true)]$ServiceAccountsAMAccountName, [Parameter(Mandatory = $true)]$WanInterfaceName ) #Calculate for Internal CIDR $calc = Invoke-PSipcalc $InternalCIDR $IPAddress = ($calc).IP $SubnetMask = ($calc).SubnetMask #Calculate for SSL Client CIDR $SSLClientcalc = Invoke-PSipcalc $SSLClientCIDR $SSLClientStartIP = ($SSLClientcalc).HostMin $SSLClientEndIP = ($SSLClientcalc).HostMax Write-Output " config user ldap edit ""$LDAPSERVERFriendlyName"" set server $DNSServerIP set cnid sAMAccountName set dn ""$DNofParentOU"" set type regular set username ""$ServiceAccountsAMAccountName"" set password $ServiceAccountPassword next end config user group edit SSLVPNUsers set member ""$LDAPSERVERFriendlyName"" next end config firewall address edit ""SSLVPN_TUNNEL_$SSLClientCIDR"" set type iprange set associated-interface ssl.root set start-ip $SSLClientStartIP set end-ip $SSLClientEndIP next end config firewall address edit ""SSLVPN_Internal_$InternalCIDR"" set visibility disable set subnet $IPAddress $SubnetMask next end config vpn ssl web portal delete full-access delete web-access edit tunnel-access set tunnel-mode enable set ip-pools ""SSLVPN_TUNNEL_$SSLClientCIDR"" set ipv6-tunnel-mode disable config split-dns edit 1 set domains ""$CommaSeperatedDNSSuffixes"" set dns-server1 $DNSServerIP next end next edit no-access set forticlient-download disable next end config vpn ssl settings set ssl-min-proto-ver tls1-0 set idle-timeout 43200 set auth-timeout 43200 set tunnel-ip-pools ""SSLVPN_TUNNEL_$SSLClientCIDR"" set dns-server1 $DNSServerIP set source-interface ""$WanInterfaceName"" set source-address all set source-address6 all set default-portal no-access set port 10443 config authentication-rule edit 1 set groups SSLVPNUsers set portal tunnel-access next end end config firewall policy edit 0 set name SSLVPN set srcintf ssl.root set dstintf ""$LanInterfaceName"" set srcaddr all set dstaddr ""SSLVPN_Internal_$InternalCIDR"" set action accept set schedule always set service ALL set utm-status enable set ssl-ssh-profile certificate-inspection set ips-sensor default set nat enable set groups SSLVPNUsers next end" } |