How to Configure SSTP VPN on FortiGate Firewalls — A Practical Step-by-Step Guide

Secure Socket Tunneling Protocol (SSTP) is a convenient option for remote access because it tunnels PPP traffic over HTTPS (TCP/443), making it highly likely to traverse restrictive firewalls and proxies. FortiGate firewalls can be configured to accept SSTP connections from Windows clients (or compatible clients) and provide secure access to your internal network. This guide walks through a practical, step-by-step configuration on FortiGate with enough technical detail for site administrators, enterprise IT staff, and developers.

Prerequisites and design considerations

Before you start, ensure the following:

• FortiGate running a FortiOS version that supports SSTP (confirm via your device documentation or Fortinet support).
• A publicly reachable IP or DNS name for the FortiGate’s WAN interface (clients will connect to this address).
• Valid SSL/TLS certificate matching the public DNS name (self-signed certificates can work for testing but not recommended for production).
• A user database (local users, LDAP, RADIUS, or AD) for authentication.
• Appropriate licensing/features enabled on your FortiGate (SSL VPN functionality).

High-level topology

Typical topology for SSTP remote access:

• Remote client (Windows SSTP-capable) connects over the Internet to FortiGate WAN IP/DNS using SSTP (TCP/443).
• FortiGate authenticates the client (local/RADIUS/LDAP), establishes a virtual tunnel interface, and assigns an IP to the client from a defined pool or subnet.
• Traffic from the client traverses FortiGate policies to reach internal networks or the Internet (split tunneling controlled via routing & policies).

Step 1 — Obtain and install an SSL/TLS certificate

SSTP depends on HTTPS. Use a certificate trusted by clients to avoid connection warnings and authentication problems.

• Option A: Public CA — Purchase or obtain a certificate (e.g., Let’s Encrypt, commercial CA) for your public hostname (vpn.example.com). This is recommended for production.
• Option B: Internal CA or self-signed — For lab or tightly controlled environments, you can use an internal CA. Make sure to install the CA root certificate on all client machines so the certificate chain validates.

To upload a certificate in the FortiGate GUI: VPN > Certificates > Local Certificates > Import/Generate. Choose import if you have a PEM/PFX bundle. After import, verify the certificate shows as valid and matches the WAN DNS name.

Step 2 — Configure user authentication

Decide on the authentication backend:

• Local users — Good for small deployments or testing. Create users under User & Device > User & Authentication > User Definition and add them to a user group.
• LDAP/AD — Enterprise option for centralized credential management. Configure under User & Device > Authentication > LDAP Servers, then map LDAP groups.
• RADIUS — Useful for multi-factor or NAS-based solutions; configure RADIUS under User & Device > RADIUS Servers.

For Windows SSTP, the common authentication method is username/password (MS-CHAPv2). If you want certificate-based user authentication, ensure the FortiGate supports client certificate authentication and configure accordingly.

Step 3 — Configure the SSTP/SSL VPN settings on FortiGate

FortiGate presents SSTP support typically as part of its SSL VPN functionality. The goal here is to enable SSTP access, associate the correct certificate, assign an IP pool, and configure the portal/profile (what resources the VPN user can access).

Using the GUI:

• Go to VPN > SSL-VPN Settings.
• Set the Listen on Interfaces to the WAN interface(s) that will accept incoming SSTP/SSL connections.
• Select the Server Certificate you uploaded in Step 1.
• Specify an IP Pool/Range for remote clients (a dedicated subnet that does not overlap local networks). For example, 10.100.100.0/24.
• Configure DNS servers and split tunneling settings (enable split tunneling to allow only selected traffic to go through the tunnel).
• If there is an explicit option to Enable SSTP, ensure it is enabled. If not explicitly shown, FortiGate’s SSL-VPN may accept SSTP clients when the SSL VPN service is configured with the certificate and interface.

Create or edit the SSL-VPN portal to define which internal subnets, bookmarks, or web resources are accessible. Portals define the client experience and permitted access. Assign this portal to the user group defined in Step 2.

Step 4 — Create firewall policies and routes

Once the tunnel is established, FortiGate treats the client as a local endpoint. You must create policies that allow traffic from the VPN subnet to internal resources, and possibly NAT rules for Internet access.

• Go to Policy & Objects > IPv4 Policy (or IPv6 if applicable).
• Create a policy with the VPN interface/IP pool or SSL-VPN tunnel as source, internal network(s) or Internet as destination, and allow required services (RDP, SMB, HTTP, ICMP, etc.).
• Enable logging and select appropriate security profiles (IPS, AV, Web Filter) depending on your compliance needs.
• Configure a static route if necessary: if the VPN pool is on a virtual interface, FortiGate typically knows to route it locally. For advanced topologies (DMZ, downstream routers), add routes so return traffic reaches the FortiGate.

For split tunneling, create policy rules that allow only internal network ranges via the VPN, while the client uses the client’s local gateway for other Internet traffic.

Step 5 — NAT, port forwarding and firewall considerations

SSTP uses TCP port 443. If your FortiGate is behind another NAT device or load balancer, forward TCP/443 to the FortiGate WAN IP. Be careful with other services also using 443 (e.g., web servers). Options:

• Use a dedicated public IP/DNS for VPN traffic.
• Use a reverse proxy or port translation if necessary, but ensure the SSL certificate presented to clients matches the public DNS name.
• Allow established TCP connections in your perimeter ACLs and avoid deep packet inspection that might disrupt SSL tunneling.

Step 6 — Configure the Windows client

On a Windows 10/11 client (built-in SSTP support):

• Open Settings > Network & Internet > VPN > Add a VPN connection.
• Set VPN provider to Windows (built-in), Connection name to something memorable, Server name or address to the public DNS name of your FortiGate (e.g., vpn.example.com).
• Set VPN type to Secure Socket Tunneling Protocol (SSTP). For Authentication, choose Username and password or smart card/certificate if you configured user cert auth.
• Save and attempt to connect. If certificate validation fails, import the server certificate or CA root into the client’s Trusted Root Certification Authorities store.

For FortiClient, if it supports SSTP, create a new VPN connection and select SSTP with the same server name and credentials. FortiClient documentation will show the exact field mapping.

Step 7 — Testing and validation

Test from an external network (not inside the protected LAN). Key validation steps:

• Successful TCP connection to TCP/443 on your public address (telnet or TCP test tools).
• SSL certificate validation — browser or VPN client should not show certificate errors.
• Authentication — ensure users can authenticate and receive an IP from the configured pool.
• Connectivity tests — ping internal resources (if allowed), test RDP/SSH, verify DNS resolution and split tunneling behavior.
• Logging — check FortiGate logs for SSL-VPN / SSTP sessions under Log & Report and use real-time monitoring for active VPN sessions.

Troubleshooting common issues

Certificate validation errors

Ensure the certificate hostname matches the URL clients use. If using a self-signed or internal CA certificate, install the CA root certificate to client trust stores.

Connection refused or TCP/443 unreachable

Check that TCP/443 is open on any upstream firewalls or NAT devices and forwarded to the FortiGate. Verify no other service is binding on port 443.

Authentication failures

Confirm user credentials and that the correct authentication server (local/RADIUS/LDAP) is selected in the SSL-VPN user group. Review logs for authentication error messages and time/date sync issues (NTP) that may affect Kerberos/LDAP.

Traffic not reaching internal resources

Verify firewall policies allow traffic from the VPN subnet to destination networks, and ensure routing is correct. Check for accidental IP overlap between VPN pool and internal subnets.

Security best practices

• Use public CA certificates or a well-managed internal PKI with strict distribution of the root CA to clients.
• Enforce MFA where possible (RADIUS, AD with MFA, or token-based solutions).
• Harden the FortiGate management plane: restrict administrative access by IP, use secure management interfaces, and keep firmware up to date.
• Enable logging and monitoring for SSL-VPN sessions and integrate with SIEM for alerting on anomalous access.
• Define least-privilege access in SSL-VPN portals—only allow access to required applications/subnets.

Configuring SSTP on a FortiGate provides a robust option for remote access connectivity that circumvents common outbound filtering by leveraging HTTPS. By following a disciplined certificate strategy, careful firewall and routing configuration, and appropriate authentication and logging, you can deploy a reliable SSTP service for your users.

For more guides and VPN resources, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.