Help
FortiCloud Products
FortiCloud Products
Anonymous
Not applicable

Created on ‎08-26-2022 02:24 PM Edited on ‎12-20-2022 07:38 AM By Moderator

Article Id 222083

Technical Tip: Configuration of FortiGSLB Cloud for SSL VPN user traffic

Description

 

This article describes how to configure FortiGSLB Cloud for SSL VPN user traffic.

 

FortiGSLB Cloud is a Global Server Load Balancing Fortinet solution.

 

Scope

 

FortiGSL.

 

Solution

 

This article uses an example scenario where multiple FortiGates are placed at different locations in India, the USA, and England.

 

For remote clients who want to connect to the company HQ (India) via VPN, FortiGSLB allows clients to automatically connect to the FortiGate VPN server that is geographically closest to their current location.

 

This can also be specified according to FortiGate VPN server availability. In cases when the VPN server is down, FortiGSLB can redirect users to the next available FortiGate VPN server in another location (USA/ England).

 

Architecture

 

Aashiq_Z_0-1661546547075.png

 

Example:

 

1) A customer in England connects via FortiClient/Web Client (GUI) login to access internal servers from outside the office.

2) During connection, traffic goes to FortiGSLB over vpn.testwebsite.com, port 10443

3) Since the user is in Birmingham, FortiGSLB connects the user to the England firewall since it is the nearest Hop for VPN termination.

4) If the England firewall is not available, user traffic is redirected to the next nearest location: in this case, the USA.

 

Aashiq_Z_1-1661546625652.png

 

URL for FortiGSLB Cloud - https://www.fortigslb.com/#/login

License - Ask Fortinet Sales Team to provide with a demo license.

 

Aashiq_Z_2-1661546794228.png

 

After login, select Primary/Main account

 

Aashiq_Z_3-1661546879509.png

 

After login, select 'Create an Organization' and follow the next steps:

 

Aashiq_Z_4-1661547085287.png

 

Aashiq_Z_5-1661547115596.png

 

Choose the newly created organization and select Open.

 

License can be checked by going to the left section and selecting the Contact & License page.

 

Aashiq_Z_6-1661547195234.png

 

Again, back on the left section, select GSLB Services to start creating a SSL VPN GSLB Service.

 

Aashiq_Z_7-1661547243292.png

 

Create two services which will cater to the same type of requests. For example, SSL VPN.

The configuration below shows a snapshot for the configuration of ssl_vpn-fqdn. The same configuration needs to be done for ssl_vpn-fqdn_service (with the only difference being that the host is '*' in this case).

Select the Create FQDN button.

 

Aashiq_Z_8-1661547404624.png

 

Provide the following details:

 

1) Name.

2) Hostname - (one with 'www' and other FQDN service with '*'), because users can type

https://www.vpn.testwebsite.com OR https://vpn.testwebsite.com to connect to FortiGate over SSL VPN.

3) Domain Name - followed with '.'

 

Select SAVE to bring up the Add Member button.

 

Aashiq_Z_9-1661547542150.png

 

After Saving, the Create Member option will be available.

 

Aashiq_Z_10-1661547651513.png

 

Create Pool inside member.

 

Aashiq_Z_11-1661547701670.png

 

Add Virtual Server Member under Pool.

 

Aashiq_Z_12-1661547769836.png

 

Create Connector

Select the Generic-Host type for FortiGate VPN.

 

Aashiq_Z_13-1661547815709.png

 

After Saving, create a Virtual Server.

Add the FortiGate Public IP which the SSL VPN currently connects to, either through the web or through FortiClient.

(Note: Multiple Public IPs can be input here for the single, same location.)

 

Aashiq_Z_14-1661547870042.png

 

For Data Centre, select the location where this FortiGate is situated and perform similar steps for all the Pools and Virtual Servers created for different FortiGate locations.

 

Aashiq_Z_15-1661547911765.png

 

Select the overall Status in dashboard (The first tab in the leftmost pane).

 

Aashiq_Z_16-1661547967056.png

 

Next, add a DNS Service in order to use the GSLB services that were created. To do this, go to the left pane and select the DNS Services tab.

 

Select the Create New button on the right.

 

Aashiq_Z_17-1661548021257.png

 

Provide the following:

- Any Name.

- The Primary type.

- Domain Name – to match the domain name given during GSLB service created.

- Responsible mail – any mail for admin/ similar

- Primary Server Name – can be any name server ns-9/ ns-2 (choose as per the availability)

- Primary Server Address – IP found on left pane bottom of screen. (GSLB IP)

 

Aashiq_Z_18-1661548097438.png

 

After Saving, the records below should be automatically created. (The same domain name provided for GSLB services is used.)

 

Aashiq_Z_19-1661548158203.png

 

To test whether the GSLB setup is resolving IPs correctly for Geolocation, run the following console commands:

 

- nslookup vpn.testwebsite.com

- nslookup –q=NS vpn.testwebsite.com

 

In this example, running nslookup on vpn.testwebsite.com shows the SSL VPN Domain is in use and configured:

 

Aashiq_Z_20-1661548248105.png

 

More information can be found with the powershell command Resolve-DnsName –Server –Name vpn.testwebsite.com.

 

Aashiq_Z_21-1661548279105.png

 

After all of the above configuration, create the following records in the domain admin portal:

 

- NS record with

- Domain vpn.testwebsite.com with name_server=ns-9.vpn.testwebsite.com

- name_server=ns-9.vpn.testwebsite.com with ip_address=44.x.x.1 (GSLB Cloud IP)

 

Aashiq_Z_22-1661548352946.png

 

Check the QPS History to ensure the expected response is seen.

 

Aashiq_Z_23-1661548436771.png

844
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.