DescriptionWhen a client connects to the FortiGate using FortiClient in SSL VPN tunnel mode, the FortiGate will assign the client an IP address and the traffic will then come from dedicated ssl.root interface (where root is the name of the VDOM).Normally, to allow traffic from SSL VPN to specific hosts, create a policy with following attributes is necessary:
- Source interface: ssl.root.- Destination interface: the interface behind the host is.- Source: The IP address assigned from SSL VPN pool + the SSL VPN group- Destination: The IP address.In FortiOS version 6.0, VIPs cannot be selected in the SSL VPN policy, so some other parameters have to be checked.
This article describes how to make a VIP accessible from a SSL VPN tunnel mode client.
SolutionConsider the following scenario:
- FortiGate has internet facing interface port1
- An internal web server behind port2 is available for using DNAT (VIP). This server should be reachable using IP address 12.12.12.12
- A client connected to the FortiGate using FortiClient SSL VPN.
In FortiOS 6.0, as a VIP may not be added outright to a policy with source interface ssl.root, the following workaround needs to be taken:
1) The first requirement is to have a policy allowing the traffic from SSL VPN at least to the VIP address.
Note the destination 'EXTVIP' is not a VIP object, but only an address object using the external IP of the VIP (12.12.12.12).
2) The client traffic to this IP has to be routed via the FortiGate, which means:
- The SSL VPN tunnel is not configured with Split-Tunnel enabled.
- If Split-tunnel is enabled, the VIP should be part of 'Routing address' under VPN -> SSL-VPN portals.
3) If the VIP is not the IP address of the FortiGate itself, the VIP has to be associated with an interface.
The interface should be the external interface where incoming traffic to VIP is expected.
4) A VIP policy has to be configured as follows:
Even if the source interface is not the SSL VPN interface, the policy will match.
On the above screenshot put the SSLVPN IP pool is impossible as source because by default the address object is created with ssl.root interface.
An additional normal address group can be created.
Source: 'SSL-VPN-GROUP', service: HTTP are also optional.
With these settings, the policy will match and one can specify a group of authenticated users to restrict access to this VIP.
In this case 'SSL-VPN-GROUP' is a simple firewall group configured with local users.
In firmware version 6.2 and higher, a VIP may be added to an SSL VPN policy. However, there are still restrictions in place. In particular:
1) VIPs only work with tunnel-mode SSL VPN
2) FortiGate takes into consideration existing SSL VPN configuration - groups and associated SSLVPN portals
If the policy contains a group that is attached to a web-mode portal, or a web-mode and tunnel-mode portal, no VIP can be added.Related Articles
Technical Tip: Adding groups to SSLVPN policies with VIPs