Skip to main content
A
Anonymous_User
Contributor
October 28, 2009
Question

Internet connection from SSL VPN Client

  • October 28, 2009
  • 3 replies
  • 5954 views
Hi, I try to connect to internet when I start a SSL VPN but it’s not possible. The connection is correct thought the client and the LAN but I’m unable to navigate in internet. It’s possible to navigate when the client is connect to the lan thought SSL VPN? How I can do it? It is possible directly connect to internet by the client without pass from SSL VPN? Else how can I do it thought the SSL VPN connection thought LAN Thank you Agostino

    3 replies

    A
    Anonymous_UserAuthor
    Contributor
    October 31, 2009
    FortiGate SSL VPN Settings > Portal > Edit > Settings > Second TAB > Enable Split Tunneling. That should do the trick ...
    A
    Anonymous_UserAuthor
    Contributor
    November 11, 2009
    I had the same issue, and after I enabled Split Tunneling, I lost access to my Internal Network because the primary DNS is now my ISP. resolving Internal host names now goes out to the public Internet instead of inside my network. How do I allow for that ?
    wcbenyip
    wcbenyip
    New Member
    December 19, 2009
    Pete Eicher: Besides enabling the Split Tunneling, I just want to figure out two points you should notice - 1/ For Internal host access --- An " ACCEPT" policy fr. ssl.root -> port1(LAN) should be created to allow traffic from your SSLVPN clients (by IP range or subnet) to access internal network resources (by IP range or subnet). 2/ For Internet access --- An " SSL-VPN" policy fr. port2(WAN) -> port1(LAN) should be created to allow traffic from your SSLVPN clients (by IP range or subnet) to access the INTERNET resource via your company' s Internet connection! BTW: Under the above setting, if your user want to just using their home Internet connection to access the Internet instead of using the company' s connection (that' s real case... as some users like the MIS staff, don' t want to be controlled by the company firewall for their usual Internet Browsing during working with the co. stuff at the same time), ALL they need to do is, create a separate default route 0.0.0.0/0.0.0.0 point to their own connection gateway (not the co. one), and make sure that there is another route to force the traffic of company subnets using the given SSLVPN IP.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    December 21, 2009
    For Internet access (not using split tunnel): to allow internal access for connected clients the fw rule should be: ssl.rool (ssl-segment) wan1 (all) NAT (allowed services) (protection profile) ACCEPT Cheers, Eric
    rwpatterson
    rwpatterson
    New Member
    December 21, 2009
    I believe he means
    For Internet access (not using split tunnel): to allow Internet access for connected clients
    Terms & ConditionsAccessibility statement