For an SSL VPN connection to be established, the incoming traffic from the user must be explicitly permitted by a firewall policy. This policy's source must include the user, their user group, and/or their source IP address, with the destination interface being the SSL VPN interface (e.g., ssl.root). If some users can connect while others cannot, a common cause is that the failing users are not included in the source definition of the allowing firewall policy. Therefore, the first logical step is to check the firewall traffic logs to verify if the connection attempts from the affected users are matching the correct policy or are being denied.

A. Ensure that the affected users are using the correct port number.

This is a client-side setting. While possible, it's less likely to be the root cause for a group of users, and checking server-side policy is a more efficient first step for the administrator.

C. Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN.

Tunneling mode (split vs. forced) affects traffic routing after a successful VPN connection is established. It does not impact the ability to establish the initial connection.

D. Ensure that the HTTPS service is enabled on SSL VPN tunnel interface.

The HTTPS service must be enabled on the public-facing (WAN) interface to accept incoming connections, not on the virtual SSL VPN tunnel interface, which represents the tunnel post-establishment.

1. FortiOS 7.6 Administration Guide

"SSL VPN" chapter

section "Firewall policy".

Reference Detail: The guide states

"You must configure a security policy to allow access to the network through the SSL VPN tunnel." It details that the policy must have the SSL VPN interface as the destination and the remote user/user group as the source. This confirms that a policy mismatch is a primary reason for connection failure.

2. FortiOS 7.6 Administration Guide

"Troubleshooting" chapter

section "Diagnosing and solving common problems".

Reference Detail: This section outlines standard troubleshooting methodology

which prioritizes checking logs to see if traffic is being blocked by a firewall policy. For SSL VPN

this involves verifying that the user's connection attempt is hitting the intended policy and not an implicit or explicit deny rule.

3. Fortinet Cookbook

"SSL VPN for remote users" recipe for FortiOS 7.6.

Reference Detail: The recipe explicitly shows the creation of a firewall policy from the WAN interface to the ssl.root interface

with the Source field containing the user group created for SSL VPN users. This highlights the direct link between user group membership and the policy that permits the connection.