Public/Write-SSLVPNConfig.ps1
Function Write-SSLVPNConfig { <# .Link https://github.com/TheTaylorLee/FortiWizard/tree/main/docs #> [CmdletBinding()] Param ( [Parameter(Mandatory = $true)]$CommaSeperatedDNSSuffixes, [Parameter(Mandatory = $true)]$DNofParentOU, [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$DNSServerIP, [Parameter(Mandatory = $true)][ValidateScript( { if ($_ -match '^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$') { $true } else { throw "$_ is an invalid pattern. You must provide a subnet mask and not a prefix." } })]$InternalLanSubnetMask, [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$InternalLanIP, [Parameter(Mandatory = $true)]$LanInterfaceName, [Parameter(Mandatory = $true)]$LDAPServerFriendlyName, [Parameter(Mandatory = $true)]$ServiceAccountPassword, [Parameter(Mandatory = $true)]$ServiceAccountsAMAccountName, [Parameter(Mandatory = $true)]$WanInterfaceName ) Write-Output " #initial setup for enabling the Forticlient VPN Config config user ldap edit ""$LDAPSERVERFriendlyName"" set server $DNSServerIP set cnid sAMAccountName set dn ""$DNofParentOU"" set type regular set username ""$ServiceAccountsAMAccountName"" set password $ServiceAccountPassword next end config user group edit SSLVPNUsers set member ""$LDAPSERVERFriendlyName"" next end config firewall address edit SSLVPN_TUNNEL_ADDR1 set type iprange set associated-interface ssl.root set start-ip 10.212.134.1 set end-ip 10.212.134.254 next end config firewall address edit SSLVPN_InternalLan set visibility disable set subnet $InternalLanIP $InternalLanSubnetMask next end config vpn ssl web portal delete full-access delete web-access edit tunnel-access set tunnel-mode enable set ip-pools SSLVPN_TUNNEL_ADDR1 set ipv6-tunnel-mode disable config split-dns edit 1 set domains ""$CommaSeperatedDNSSuffixes"" set dns-server1 $DNSServerIP next end next edit no-access set forticlient-download disable next end config vpn ssl settings set ssl-min-proto-ver tls1-0 set idle-timeout 43200 set auth-timeout 43200 set tunnel-ip-pools SSLVPN_TUNNEL_ADDR1 set dns-server1 $DNSServerIP set source-interface ""$WanInterfaceName"" set source-address all set source-address6 all set default-portal no-access set port 10443 config authentication-rule edit 1 set groups SSLVPNUsers set portal tunnel-access next end end config firewall policy edit 0 set name SSLVPN set srcintf ssl.root set dstintf ""$LanInterfaceName"" set srcaddr all set dstaddr SSLVPN_InternalLan set action accept set schedule always set service ALL set utm-status enable set ssl-ssh-profile 'Block Malicious' set ips-sensor default set nat enable set groups SSLVPNUsers next end" } |