Description | The article describes how to connect to SSL VPN via an internal network domain name. |
Scope | FortiGate, SSL VPN. |
Solution |
As per best practices (security, management, flexibility), configure SSL on a loopback interface.
DNS Resolution:
Create a non-authoritative primary DNS server on the internal network interface.
config system dns-database edit "forti" <- Zone name. set domain "fortinet.com" <- Specify the domain to which the entries will be associated to set authoritative disable. config dns-entry edit 1 set hostname "test" set ip 10.122.0.217 <- IP of where the SSL connections should come from (in this case, the internal interface IP). next end next end
config system dns-server edit port2 <- Internal network interface (this is where the DNS queries from the clients should be forwarded). set mode recursive next end
The interface mode is recursive so that, if the request cannot be fulfilled, the external DNS servers will be queried. The users cannot connect via SSL by specifying the remote gateway on FortiClient as 'test.fortinet.com'.
There are various use cases of connecting to SSL VPN via domain name. This is a solution provided based on customer needs after a migration of users in the internal infrastructure, and to avoid re-configuring FortiClient (free version) for all the users.
Refer the official Fortinet documentation for creating an unauthoritative primary DNS server: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.