Skip to main content
kulas
kulas
New Member
September 17, 2018
Question

DNS for SSL VPN Web Mode

  • September 17, 2018
  • 2 replies
  • 22491 views

Hi Experts,

 

We have a Fortigate with VDOMs enabled and configured SSL VPN (Tunnel and Web Mode) on one of that VDOMs. On the SSL VPN Web Mode, bookmarks were configured to access servers using URL instead of IP address. My question is that where does the SSL VPN (Web Mode) look for URL to IP address resolution? Which DNS setting does it use? I have read that it uses the DNS configured on GLOBAL settings. If it does, is the dns server1 and dns server2 not being used for url to ip address resolution on SSL VPN Web mode?

 

config vpn ssl web portal

edit "Server" set tunnel-mode enable set web-mode enable set ip-pools "SSL_VPN_ADDR2" set split-tunneling disable set dns-server1 X.X.X.X set dns-server2 Y.Y.Y.Y config bookmark-group edit "gui-bookmarks" config bookmarks edit "Test_Server" set description "Test_Server" set url "http://testserver.companyname.com" next end next end set heading "Test_Server" next end

 

Hope someone could help me on this.

 

Best Regards,

Kulas

    2 replies

    kulas
    kulasAuthor
    New Member
    September 18, 2018

    Hope someone could explain me on this :(

     

    Regards,

    Kulas

    Ashik_Sheik
    Ashik_Sheik
    New Member
    September 18, 2018

    Hi,

     

    The setting of the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected in VPN IPsec or VPN SSL.

     

    For SSL VPN:
    # config vpn ssl settings # set dns-suffix example.com example.org # end
    The FortiGate unit should be configured with your internal DNS servers which have host names for address "domain.com" and then verified by pinging the host name from FortiGate unit CLI;
    config system dns  set primary 192.168.1.1  }--------- Internal DNS  set secondary 4.2.2.2  set domain "domain.com" end FGT# exe ping domain.com
     
    sw2090
    SuperUser
    sw2090
    SuperUser
    September 18, 2018

    You could also use FortiGate's own capabilities and use the FGT internal DNS instead of plain forwarding. Then you could create a zone on your FGT that knows your server dns names and voila the urls should work over the vpn.

    Prab
    Prab
    New Member
    September 18, 2018

    kulas wrote:

    Hi Experts,

     

    We have a Fortigate with VDOMs enabled and configured SSL VPN (Tunnel and Web Mode) on one of that VDOMs. On the SSL VPN Web Mode, bookmarks were configured to access servers using URL instead of IP address. My question is that where does the SSL VPN (Web Mode) look for URL to IP address resolution? Which DNS setting does it use? I have read that it uses the DNS configured on GLOBAL settings. If it does, is the dns server1 and dns server2 not being used for url to ip address resolution on SSL VPN Web mode?

     

    config vpn ssl web portal

    edit "Server" set tunnel-mode enable set web-mode enable set ip-pools "SSL_VPN_ADDR2" set split-tunneling disable set dns-server1 X.X.X.X set dns-server2 Y.Y.Y.Y config bookmark-group edit "gui-bookmarks" config bookmarks edit "Test_Server" set description "Test_Server" set url "http://testserver.companyname.com" next end next end set heading "Test_Server" next end

     

    Hope someone could help me on this.

     

    Best Regards,

    Kulas

    FortiOS 5.6.4

    I have a bookmark in SSL Web portal for an internal machine, I am using FQDN (eg: myserver.domain.local) instead of IP address & it is working fine for me.

    First of all you should try if the FGT can even resolve the internal domain?

    From the CLI try executing the ping command to see if the FGT resolves the internal domain at all:

    #execute ping myserver.domain.local

     

    If the FGT can resolve the name, then the bookmark will also work. I did not mention any DNS server under the config vpn ssl web portal section! Normally you do not need it. You only need to specify in case you want to override the FGTs internal DNS configuraton.

    Also, in the SSL VPN Web mode, the FQDN-bookmarks are resolved by FGT & not the client. Client will use the FGT as a proxy to access the bookmark resources.

     

    Sidenote:

    I have FGT configured as a slave DNS server for my internal domain. Ref: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-networking-54/DNS%20Services/DNS%20Servers.htm

     

    This means:

    FGT will use my internal network DNS server to resolve the domain.local & will use the FortiGuard DNS servers for all other domains (eg: x.com, y.x.com, anything.org etc.)

     

    In FortiOS 6.0 you could try the Split-DNS feature ;)

     

    Hope it helps!

    Regards,

    Prab :)

    Terms & ConditionsAccessibility statement