Site icon Zit Seng's Blog

FortiGate WebVPN At NUS SoC

FortiNet FortiGate/FortiClient SSL VPN clientI originally intended to write just a simple support note for NUS School of Computing (SoC) users, pertaining to the WebVPN service that we use. However, I realised this information is likely just as useful to any user of FortiNet’s FortiGate SSL VPN solution. Web-based SSL VPNs are supposed to be nice and easy to use. Unfortunately, someone has to make it break.

That someone, in this case, is Google. They made Chrome break something that’s supposed to work very beautifully. When you’re a big company, and you have a product that’s sort of a de facto standard, you start to make things work differently, expecting everyone else to follow you.

Google cites security reasons for their need to break things. Good reason, perhaps, but I’m thinking that there had to be some better ways to address the issue, instead of leaving innocent users in the lurch.

For NUS SoC users, you should know that we have a really nice SSL VPN service (https://webvpn.comp.nus.edu.sg). This sort of VPN is often referred to as WebVPN, because it seems that you simply use a web browser to launch a VPN. The truth is that a client, including a browser plugin, actually gets installed and the magic is handled in this layer. You’re still installing a native client software, but the installation process is just made a lot less painful. The VPN start and stop process is also made web-based, and because it happens in a browser, users feel it’s a lot less intimidating.

So, the FortiGate VPN that SoC uses, you could used browser on Windows and Mac OS X to really conveniently install, start, and stop the VPN. It works in Safari. It works in Firefox. It used to work in Chrome.

Then Google decided to make things break. They’ve disabled NPAPI, a particular type of browser plugin API, since Chrome version 42. The FortiGate VPN client plugin depends on this API, as do a bunch of other plugins. For Chrome users, you’ve got a couple of choices:

  1. Switch to the Firefox browser, or something else that still supports NPAPI. On Mac OS X, Safari works great too.
  2. Manually run the native FortiClient software and manage the VPN from there.
  3. Use a temporary workaround to reenable NPAPI support. However, NPAPI will be permanently removed from Chrome version 45 onwards.

To reenable NPAPI support, open Chrome to the location chrome://flags/#enable-npapi. Then, click on the Enable link under Enable NPAPI. Refer to this Chrome support page for more details.

As mentioned, this will not work from Chrome version 45 onwards. As of this writing, the current version of Chrome is 43.0.2357.130.

I personally dislike using the FortiClient software, because it tries to do more than what I need it to do, which is simply establishing a VPN connection. However, I also dislike having to run two browsers, because at this time I still much prefer Chrome for my primarily web surfing needs.

Perhaps the best solution is for FortiNet to update their browser plugin to use an API that Google has blessed. However, I’m afraid that we’ll likely need quite a bit of patience for this to happen.

PS: For avoidance of doubt, NUS SoC WebVPN is different from NUS WebVPN. The latter is for all NUS users, but the former is only for SoC users. They use different SSL VPN solutions too. NUS’ WebVPN requires Java, which also uses NPAPI, and hence is also affected in the same way.

Exit mobile version