Troubleshooting Tip: SSL VPN through a perimeter FortiGate is not working

In a network setup where an External FortiGate manages VPN access and an Internal FortiGate secures internal resources, remote users can securely connect to the internal LAN through SSL VPN on the External FortiGate.

Network Topology:

:desktop_computer: Remote Users (SSL_Client) -> :globe_with_meridians: Internet -> :locked: External FortiGate (SSL VPN) -> :office_building: Internal FortiGate -> :open_file_folder: Internal LAN.

Configuration of the SSL VPN behind a perimeter FortiGate:

Since all internal FortiGate traffic is routed through the external FortiGate, it is necessary to configure a Virtual IP (VIP) to enable communication between the external and internal FortiGate for SSL VPN connectivity.

Port Forwarding (VIP) on the Perimeter FortiGate:

• Interface: WAN interface.

• External IP: 0.0.0.0.

• Mapped IP: 192.168.x.x (Internal FortiGate's WAN IP).

• External Service Port: 4433.

• Mapped Port: 4433.

Firewall policy on the perimeter FortiGate:

A policy needs to allow expected traffic through the configured VIP to the internal firewall.

Testing SSL VPN Connection via FortiClient Through the Perimeter FortiGate to the Internal LAN:

• Remote Gateway: <Perimeter_FortiGate_Public_IP>.
• Port: 4433.

Following these steps will ensure a functional SSL VPN connection behind the Perimeter FortiGate.

Related documents:

• SSL VPN full tunnel for remote users - FortiGate administration guide
• Troubleshooting Tip: Common SSL VPN problems and their solutions

• Troubleshooting Tip: SSL VPN Troubleshooting