FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HiralShah
Staff
Staff
Article Id 274802
Description

 

This article describes that if the user cannot RDP into the PC when connected with SSL VPN, but RDP when it is on the same network, and provides troubleshooting steps for this issue.

 

Scope

 

FortiGate.

 

Solution

 

  1. Check the SSL VPN setting. Make sure the user is in SSL VPN setting -> Authentication & portal mapping:

 

SSLVPN_setting.PNG

 

  1. If it has a full access portal assigned, check in the portal if split tunneling is enabled.

 

SSLVPN_Portal.PNG

 

  1. Make sure the SSL VPN to LAN policy has a subnet in which the PC resides as the destination with service ALL or at least RDP.
  2. If all the configurations are as stated, try to run the following command:

 

diag debug disable

diag debub flow filter saddr x.x.x.x <----- IP user is getting when connected with SSL VPN.

diag debug flow filter daddr x.x.x.x <-----PC IP which user is trying to RDP in.

diag debug flow show function-name en

diag debug flow trace start 999

diag debug en

 

  1. If the traffic is being accepted by SSL VPN to LAN policy but still not able to RDP, check below, try to run the command:

diag sniffer packet any ‘host x.x.x.x and host y.y.y.y’ 4 0 l

 

Or

 

diag sniffer packet any ‘host x.x.x.x and port 3389’ 4 0 l

 

  1. Here, x.x.x.x is the IP that the user gets when connected with VPN, y.y.y.y ,is the IP of the PC that is RDP into.
  2. Check if there is the reply from the PC.
  3. Check Logs & Report -> Forward traffic logs and apply filter with source and destination address.
  4. If there is 0 Byte in received bytes, check if the Windows firewall is enabled on the PC, disable it, and try again. Make sure there is no other firewall than FortiGate that can block traffic. Disable if there is any other firewall and try again.

 

Contact TAC if there is still an issue.https://support.fortinet.com/welcome/#/