Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Serxhio
Staff
Staff

Created on ‎08-21-2024 10:02 AM

Article Id 335197

Technical Tip: Connect via SSL VPN using a domain name from the internal network

Description The article describes how to connect to SSL VPN via an internal network domain name.
Scope FortiGate, SSL VPN.
Solution

As per best practices (security, management, flexibility), configure SSL on a loopback interface.

  1. Create a loopback interface.
    Make sure to specify  a /32 subnet mask. Otherwise, routing conflicts may occur.

  2. Under 'VPN -> SSL-VPN settings', specify SSL to listen on the loopback interface besides any other interface that might have already been specified.

  3. Create a VIP as per the following:
  • Interface: the internal network interface.
  • External IP: IP of the internal network interface.
  • Map to: Loopback IP.
  • Port forwarding: Specify an external service port (for convenience, the same port SSL is listening on).
  • Map to: the port that SSL is listening on.
  1. Create a firewall policy that will point from the internal guest network to the loopback interface and specify a destination VIP.

 

DNS Resolution:
A VIP loopback can be associated with a domain name, allowing users to connect to the SSL VPN using a domain name instead of a specific IP address. This is especially beneficial if the FortiGate has dynamic IP addresses or if there is a need to update the IP addresses associated with SSL VPN without requiring clients to update their FortiClient configurations.

 

Create a non-authoritative primary DNS server on the internal network interface.

 

config system dns-database

edit "forti"  <- Zone name.

set domain "fortinet.com"  <- Specify the domain to which the entries will be associated to set authoritative disable.

config dns-entry

edit 1

set hostname "test"

set ip 10.122.0.217  <- IP of where the SSL connections should come from (in this case, the internal interface IP).

next

end

next

end

 

config system dns-server

edit port2  <- Internal network interface (this is where the DNS queries from the clients should be forwarded).

set mode recursive

next

end

 

The interface mode is recursive so that, if the request cannot be fulfilled, the external DNS servers will be queried.

The users cannot connect via SSL by specifying the remote gateway on FortiClient as 'test.fortinet.com'.

 

There are various use cases of connecting to SSL VPN via domain name.

This is a solution provided based on customer needs after a migration of users in the internal infrastructure, and to avoid re-configuring FortiClient (free version) for all the users.

 

Refer the official Fortinet documentation for creating an unauthoritative primary DNS server:
179
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.