Contributor

Question

Access from VPN Client to DMZ Server

Forum|Forum|20 years ago
May 11, 2006
10 replies
6354 views

Hi all. We just implemented a new proxy server in our DMZ. We can access it from internal just as supposed, everything fine. Now we have some people with FortiClient on their machines and they can' t reach anything in our DMZ. LAN: 10.27.56.0/24 VPN: 10.27.56.0/24 via DHCP Relay (needed for SAP stuff, not changeable) DMZ: 10.27.63.32/27 DMZ port of Fortigate: 10.27.63.36 Proxy: 10.27.63.39 I can' t reach anything like 10.27.63.43 when I' m dialed in via IPSec VPN. I tried the following: - Encryption policy from LAN to DMZ - static route - changed the setting " Internet Browsing" in Phase 2 setting around - added the DMZ to the Remote Network in FortiClient Long story short: I can not connect to anything in the DMZ when I' m connected via VPN. It' s the same IP Range like the LAN so it really should work...! It would be great if anybody gave me some hints what I could check. New proxy runs so smooth and I want it to go productive very soon... Thanks for any comment... stephan

A

Anonymous_UserAuthor

Contributor

Internet browsing isn' t the solution. You need to add a policy from DMZ to External Encrypt tunnel name. Then in the FC you need to add the segment in the remote range. That' s all Cheers, Eric

A

Anonymous_UserAuthor

Contributor

Hm, thanks for tha answer Eric. Some more details:

     Internet  	|  	|  	|  External Firewall  	|  	|  	|     eSafe Gateway  	|  	|                       (Another DMZ)    	|     DMZ                     |          ---------------------- Fortigate -------- LAN ----....  	|	     |  	|            |     Proxy Server   WebServer

This makes the thing a bit more complicate huh? I don' t know where I should place the policy. DMZ to LAN? I' ll try bit, but another hint would be great. Thanks stephan

A

Anonymous_UserAuthor

Contributor

Okay, I sniffed the traffic on the fortigate (interface: any). The proxy sends a SYN/ACK packet to the VPN Client, but it doesn' t reach it. I sniffed with ethereal on it and there were only the three SYN packets. So there must be something missing... I will see when I can dig further in to this becaus any VPN related change seems to take more than 20 minutes! Is that normal?! A bit annoying...

A

Anonymous_UserAuthor

Contributor

Well, If you can make an VPN connection to your LAN than really the only thing you have to do is what I posted before. Regards, Eric

A

Anonymous_UserAuthor

Contributor

Hm, but I' m a bit confused with what Interface is External in this case. port1: DMZ port2: LAN port3: other DMZ In the Firewall tab i have to configure everything port related, like port1 -> port2 port2 -> port1 port3 -> port1 ... Where would I have to set what? I' m really confused...

UkWizard

New Member

I dont think this is possible personally. as only one encrypt rule can be hit and the proxy arp wont go out the dmz interface anyway, let alone the whole routing issue. Only way i can see around this is to setup a port-forwarding VIP on the internal firewall IP to the proxy port on the dmz proxy server. then use this as the proxy, this might work. Or move the proxy inside the lan. or use another proxy inside to act as an interim downstream proxy to the dmz one. one question though, why would you want them to use your proxy, when they obviously would have local internet access anyway.

UkWizard

New Member

BTW - PPTP would work for this easily.......

A

Anonymous_UserAuthor

Contributor

Only way i can see around this is to setup a port-forwarding VIP on the internal firewall IP to the proxy port on the dmz proxy server. then use this as the proxy, this might work.

Hummm... I will try to understand that and try it on Monday.

Or move the proxy inside the lan. or use another proxy inside to act as an interim downstream proxy to the dmz one.

We want a Proxy with ONE IP and ONE interface in the DMZ for Security reasons. Currently we are running a dual homed proxy (LAN and DMZ). This works, but we bypass the Fortigate and don' t want this anymore.

one question though, why would you want them to use your proxy, when they obviously would have local internet access anyway.

Security reasons. And: As far as I know the forticlient / Internet Explorer is not capable to define it it' s in the LAN or connected via VPN or stand alone in the Internet. If that was possible it might be an option, but it' s not wanted. PPTP is not really an option either. Not another technology the users might have to differ with... Anyway, thanks for your answers. If you have more ideas... put ' em here =) thanks stephan

A

Anonymous_UserAuthor

Contributor

Ok, I understood in your messages that the DMZ was behind the FG unit. What you want isn' t really possible... and also a bit unlogical. But what you might try is to allow internet browsing from the FG. Add 0.0.0.0 or something to the FC remote network, that might do the trick. Cheers, Eric

A

Anonymous_UserAuthor

Contributor

What you want isn' t really possible... and also a bit unlogical.

Hm :-/ Well... I did not setup this, I have to live with it. I don' t really know why 2 DMZs where made. It may make sense to think about creating one DMZ and use one port for Internet only. I think that would make life easier.

But what you might try is to allow internet browsing from the FG. Add 0.0.0.0 or something to the FC remote network, that might do the trick.

Ok, adding 0.0.0.0 as remote network is no problem, just tried that. Even a traceroute will then go over the fortigate, but it fails for the known Reasons. How would I " allow Internet Browsing from the FG" ? Is that the option in Phase two on IPSec? Many thanks for your help guys! stephan

A

Anonymous_UserAuthor

Contributor

*bump* Help! Any ideas or advice?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded