Created on 08-26-2022 02:24 PM Edited on 12-20-2022 07:38 AM By Stephen_G
Description
This article describes how to configure FortiGSLB Cloud for SSL VPN user traffic.
FortiGSLB Cloud is a Global Server Load Balancing Fortinet solution.
Scope
FortiGSL.
Solution
This article uses an example scenario where multiple FortiGates are placed at different locations in India, the USA, and England.
For remote clients who want to connect to the company HQ (India) via VPN, FortiGSLB allows clients to automatically connect to the FortiGate VPN server that is geographically closest to their current location.
This can also be specified according to FortiGate VPN server availability. In cases when the VPN server is down, FortiGSLB can redirect users to the next available FortiGate VPN server in another location (USA/ England).
Architecture
Example:
1) A customer in England connects via FortiClient/Web Client (GUI) login to access internal servers from outside the office.
2) During connection, traffic goes to FortiGSLB over vpn.testwebsite.com, port 10443
3) Since the user is in Birmingham, FortiGSLB connects the user to the England firewall since it is the nearest Hop for VPN termination.
4) If the England firewall is not available, user traffic is redirected to the next nearest location: in this case, the USA.
URL for FortiGSLB Cloud - https://www.fortigslb.com/#/login
License - Ask Fortinet Sales Team to provide with a demo license.
After login, select Primary/Main account
After login, select 'Create an Organization' and follow the next steps:
Choose the newly created organization and select Open.
License can be checked by going to the left section and selecting the Contact & License page.
Again, back on the left section, select GSLB Services to start creating a SSL VPN GSLB Service.
Create two services which will cater to the same type of requests. For example, SSL VPN.
The configuration below shows a snapshot for the configuration of ssl_vpn-fqdn. The same configuration needs to be done for ssl_vpn-fqdn_service (with the only difference being that the host is '*' in this case).
Select the Create FQDN button.
Provide the following details:
1) Name.
2) Hostname - (one with 'www' and other FQDN service with '*'), because users can type
https://www.vpn.testwebsite.com OR https://vpn.testwebsite.com to connect to FortiGate over SSL VPN.
3) Domain Name - followed with '.'
Select SAVE to bring up the Add Member button.
After Saving, the Create Member option will be available.
Create Pool inside member.
Add Virtual Server Member under Pool.
Create Connector
Select the Generic-Host type for FortiGate VPN.
After Saving, create a Virtual Server.
Add the FortiGate Public IP which the SSL VPN currently connects to, either through the web or through FortiClient.
(Note: Multiple Public IPs can be input here for the single, same location.)
For Data Centre, select the location where this FortiGate is situated and perform similar steps for all the Pools and Virtual Servers created for different FortiGate locations.
Select the overall Status in dashboard (The first tab in the leftmost pane).
Next, add a DNS Service in order to use the GSLB services that were created. To do this, go to the left pane and select the DNS Services tab.
Select the Create New button on the right.
Provide the following:
- Any Name.
- The Primary type.
- Domain Name – to match the domain name given during GSLB service created.
- Responsible mail – any mail for admin/ similar
- Primary Server Name – can be any name server ns-9/ ns-2 (choose as per the availability)
- Primary Server Address – IP found on left pane bottom of screen. (GSLB IP)
After Saving, the records below should be automatically created. (The same domain name provided for GSLB services is used.)
To test whether the GSLB setup is resolving IPs correctly for Geolocation, run the following console commands:
- nslookup vpn.testwebsite.com
- nslookup –q=NS vpn.testwebsite.com
In this example, running nslookup on vpn.testwebsite.com shows the SSL VPN Domain is in use and configured:
More information can be found with the powershell command Resolve-DnsName –Server –Name vpn.testwebsite.com.
After all of the above configuration, create the following records in the domain admin portal:
- NS record with
- Domain vpn.testwebsite.com with name_server=ns-9.vpn.testwebsite.com
- name_server=ns-9.vpn.testwebsite.com with ip_address=44.x.x.1 (GSLB Cloud IP)
Check the QPS History to ensure the expected response is seen.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.