Skip to main content
djg
djg
New Member
May 22, 2017
Question

SSL-VPN Realm - issue with setup...

  • May 22, 2017
  • 2 replies
  • 11443 views

We are trying to implement SSL-VPN Realms and are running into an issue.

 

When we try to create a new realm, the URL defaults to the inside interface. We have tried to find a way to manually change the URL to use the correct interface, which is actually the DMZ interface (that interface is the connection to the outside, we are behind another firewall).

 

[ul]
  • We have SSL-VPN Web Portal working fine. We are able to access and use the portal fine. We are just having issues with implementing realms.
  • The DMZ-interface is defined in the SSL-VPN settings as the interface to listen on, and again, it is working fine.
  • The issue is when we create a new realm, it listens on the inside interface.[/ul]

    We have searched in both the GUI and CLI and it does not seem there is a way to manually define the complete URL. Also, we are unable to locate anywhere to manually set the interface that the SSL-VPN Realm uses. We are unable to determine why it is defaulting to the inside interface even though in the SSL-VPN settings it is listening on the DMZ-interface.

     

    We also created a ticket with Fortinet and hope they will have an answer. Just thought we would reach out to the forum to see if anyone else has run across this issue and found a solution. If we resolve the issue with Fortinet, we will post the fix here.

     

    THANKS!

      • 2 replies

      djg
      djgAuthor
      New Member
      May 22, 2017

      We were able to resolve the issue by deleting and recreating the realms and recreating the Authentication/Portal mappings under SSL-VPN settings.

      Toshi_Esumi
      Toshi_Esumi
      New Member
      May 22, 2017

      Sounds like a bug but what's the model and os version?

      emnoc
      emnoc
      New Member
      May 22, 2017

      I don't think this is a bug btw, how did you set the realm ? And do  you have any auth-rules ? 

       

      djg
      djgAuthor
      New Member
      May 22, 2017

       I should have been more clear in my previous posts, sorry.

       

      We had an SSL-VPN setup with a realm for mobile client users setup and working. On Friday, it just stopped working.

       

      Specifically, IOS devices were unable to connect via the Forticlient using the realm set for tunnel mode. Android Forticlient users were still working on that realm and so were the SSL-VPN Web users that connected via browser. After a reboot of the firewalls, no mobile client users were able to connect but the SSL-VPN Web users still working fine.

      While troubleshooting the issue, we noticed that the link shown for the URL was referencing the inside interface. We had mistakenly thought this was specifying the actual URL users were supposed to use to connect, but it turned out to be just an example URL. This is why the post referenced manually setting the interface for the URL.

       

      We later determined the example URL was based on the interface you logged into the firewall on:

       

                             

       

      And confirmed by accessing from a different interface:

       

       

      We confused the example URL as an informative section like the SSL-VPN port listened on set under the SSL-VPN settings page:

       

       

       

      As part of our troubleshooting process we deleted/recreated the SSL-VPN realms and deleted/ recreated the users/groups under Authentication/Portal Mapping on the SSL-VPN Settings page. We had not noticed this had resolved the issue as we were focused on the non-issue of the example URL.

       

      I hope this clears up any confusion.

      Terms & ConditionsCookie settingsAccessibility statement