Skip to main content
julianhaines
julianhaines
Explorer II
October 31, 2024
Solved

FortiGate SSL VPN with External DHCP Server

  • October 31, 2024
  • 3 replies
  • 3051 views

HI,

 

I am planning to move my FortiGate SSL VPN to an external DHCP Server and have the following plan using a loopback interface following the FortiGate document link below.

 

I am unsure if my plan will work and if I have the correct Firewall Policies etc, does it look good?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215644

 

Plan 31-10-24.png

    Best answer by tpatel

    Hello Julian, 

     

    It look correct configuration, as you have mention ra-giaadr as loopback ip address so you will also get a ip according to that scope. Also checked connectivity between loopback address to dhcp server like ping from loopback to dhcp server ip address.

    3 replies

    tpatel
    Staff
    tpatelAnswer
    Staff
    October 31, 2024

    Hello Julian, 

     

    It look correct configuration, as you have mention ra-giaadr as loopback ip address so you will also get a ip according to that scope. Also checked connectivity between loopback address to dhcp server like ping from loopback to dhcp server ip address.

      julianhaines
      julianhainesAuthor
      Explorer II
      November 1, 2024

      Thank you

      saleha
      Staff & Editor
      saleha
      Staff & Editor
      October 31, 2024

      Hi,

       

      Thank you for reaching out. The diagram is more focused on howe you are building your local and sslvpn network. It does not show any concerns related how you are going to connect to the remote dhcp server also the article that provides the guiding steps should be straight forward. You can test and let us know if you ran into an issue or specific error to give you a more direct advise.

       

      Thank you,

      saleha

        julianhaines
        julianhainesAuthor
        Explorer II
        November 1, 2024

        Thank you, I was not sure about the Firewall Rules and VIP's, the DHCP part is simple and handled by the DHCP GIADDR option.

        vbandha
        Staff
        vbandha
        Staff
        October 31, 2024

        Hello @julianhaines 

         

        I want to highlight one thing:
        "Starting in v7.2.4, support was added to the SSL VPN for the DHCP GIADDR option. This option allows administrators to specify which DHCP scope should be used when allocating addresses to their SSL VPN users, whereas previously SSL VPN users could only receive IP addresses in the same subnet as the FortiGate's local DHCP server-facing interface (i.e. 10.10.12.0/24 on the FortiGate's port2 in the example topology)."

         

        Make sure the FortiOS version is above 7.2.4 if you are planning to use this feature.

         

        Other than that, everything looks good

         

        Regards,

        Varun

          julianhaines
          julianhainesAuthor
          Explorer II
          November 1, 2024

          Thank you, I am running version 7.x and using the DHCP GIADDR option.

          Terms & ConditionsAccessibility statement