Description
This article describes a method that administrators can use to have the FortiGate listen for SSL-VPN connections on two different network ports at the same time. This can be particularly useful when transitioning an SSL-VPN configuration from one network port to a new port (e.g. TCP/UDP/13443 to TCP/UDP/10443), especially if there are deployed FortiClients that are not managed by EMS and also have the configuration with the old listening port.
Scope
FortiGates, SSL VPN.
Solution
One way to solve this problem is to use Virtual IPs (VIPs). The general premise is to configure a VIP that receives connections on same network interface as the SSL VPN and port-forwards from the new SSL-VPN port to the old one.
In the following example, the SSL VPN is configured to listen on the wan1 interface (IP address: 10.0.0.10). The original SSL-VPN listening port is TCP/13443 and the new listening port will be TCP/10443:
-
Under Policy & Objects -> Virtual IPs, create a Virtual IP for new port 10443 as shown by the image below:
- The Interface should be set to the specific interface used for SSL-VPN connections (do not use the any interface here).
- The External IP address/range should be left as 0.0.0.0, as FortiOS will not allow the External IP and the Mapped IP to be set to the same address. Using 0.0.0.0 allows the VIP to match any IP address associated with the SSL-VPN listening interface (e.g. primary and secondary IPs).
- The Map to IP address should be set to the static IP/secondary IP being used for the WAN interface for SSL-VPN
- The Port Forwarding section must be used here (as opposed to the Optional Filters) since the incoming destination port needs to be translated to the actual SSL-VPN listening port.
Note: port-forwarding VIPs can only translate one set of ports/protocols at a time (e.g. translating TCP 13443 to 10443). If DTLS is being used for SSL VPN (e.g. encrypted UDP tunneling), then an additional VIP must be configured to handle the UDP port-forwarding (e.g. translating UDP 13443 to 10443). See here for more information on DTLS with FortiGate SSL VPN: Technical Tip: Using DTLS to improve SSL VPN performance.
- Under VPN -> SSL-VPN Settings, change the SSL-VPN Listen on Port from old port 13443 to new port 10443 and then select the Apply button (no other changes required here).
- Under Policy & Objects -> Firewall Policy, create a WAN-to-WAN policy with VIP as the Destination.
- Source NAT is not required to be enabled in this instance.
- The Source could be the all Address object, or it can be limited to specific hosts (based on Geography IP objects, for example).
- The policy counter is expected to show 0 hits, even though the port-forwarding is being performed.
- This policy is not expected to appear in debug flow output.
Note: If Central SNAT is being utilized, this policy is not required (the VIP will automatically take effect. See Technical Tip: Configure firewall policies for a VIP when Central NAT is enabled).
After completing these steps, users will be able to establish SSL-VPN connections to the original SSL-VPN port (e.g. https://10.0.0.10:13443 ) while also being able to connect to the new SSL-VPN port (https://10.0.0.10:10443).
Related documents:
