New Member

Question

Allow FortiClients to communicate to each other??

Forum|Forum|6 years ago
March 18, 2020
2 replies
25591 views

Looking to allow remote FortiClients to talk to each other. An example is, I'm remote on FortiClient and I need to RDP to another FortiClient via RDP.

I've created a rule to allow SSL_VPN_TUNNEL addresses and SSL_VPN_USERS to talk to SSL_VPN_TUNNEL addresses using the ssl.root.tunnel interface as the source and destination. Even moved this policy to be first in line. No Windows firewall or FC firewall enabled. Connection is showing as passed in the logs. Anyone have any thoughts on this?

Thanks in advance,

Rob

Toshi_Esumi

SuperUser

It worked for me and suggested the same to others for last a couple of days, and didn't hear back from them so assumed it worked for them too. Can you share exact policy in CLI?

Rob_GAuthor

New Member

Sure.... see below....

edit 6 set name "SSL VPN traffic to SSL VPN traffic" set uuid 32cd8256-694f-51ea-a654-xxxxxxxxxxxxxx set srcintf "ssl.root" set dstintf "ssl.root" set srcaddr "goodwill-FC-VPN-x.x.x.x_21" set dstaddr "goodwill-FC-VPN-x.x.x.x_21" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set webfilter-profile "monitor-all" set logtraffic all set groups "SSL VPN General Users" "SSL VPN CMS Users" set comments "Used for Remote Support" next

Toshi_Esumi

SuperUser

If it shows up int sniffing and flow debugging: coming in ssl.root and going out ssl.root, it must be the destination machine. So set up a two machines with SSL VPN up and run wireshark on the destination side while pining from the source to the destination.

Yanis_Sauve

New Member

Hello guys,

Fortigate 600D, FW 6.2.2 build 1010, Windows 10, using latest Forticlient, 6.2.2 0877, and have determined no FW is involved.

I have clients on SSL VPN that cannot communicate between each other, just like probably everyone else higher up this thread.

I've tried addind a policy from ssl.root to ssl.root, SSL VPN range to SSL VPN range, all services. Still no communication. All those clients can communicate with the remote networks fine. For example CIPCs (Cisco softphones) can place calls and receive them from people not connected to the SSL VPN. I've also reduced my Client IP range from .1-.254 to .4-.254, as .1-.3 seemed to be problematic for connectivity from the remote network.

When a call between Forticlients is attempted, signaling works, as in the phone rings, but when taken off-hook, the line opens, but no sound on the line.

I'm at a loss right now. Anybody would have suggestions?

Thanks

seadave

New Member

Our rule looks as attached. Seems to work for our Shoretel/Mitel softphones.

config firewall policy edit 207 set name "SSLVPN - Mitel" set srcintf "ssl.root" set dstintf "ssl.root" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "SSLVPN_TUNNEL_ADDR1" set action accept set schedule "always" set service "ALL_ICMP" "ALL_TCP" "ALL_UDP" set logtraffic all set groups "SSL_VPN_FULL" next end

This rule obviously could be restricted but what we have now to make this work for folks.

Phone Rule.JPG

Yanis_Sauve

New Member

My rule is exactly the same:

edit 88 set name "VPN->VPN" set uuid 883799fa-6dd9-51ea-53d2-a9f70a93b2f1 set srcintf "ssl.VDOM-CSDLJ" set dstintf "ssl.VDOM-CSDLJ" set srcaddr "VPN-Clients-172.17.6" set dstaddr "VPN-Clients-172.17.6" set action accept set schedule "always" set service "ALL" set groups "AAA-GRP-VPN" next

VPN-Clients-172.17.6 is defined as range 172.17.6.4-254

But poilcy 88 is never hit by anything. And I just can't get anything from flow trace.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded