Description
This article describes when it is possible to use SSLVPN with VIP address and how to configure it.
Solution
General rules for using VIP with SSLVPN:
1) If groups have not been set in sslvpn policy, the vip/vipgrp can be used for dstaddr; (for Fortios 5.4 and later the policy will always ask for a user group)
2) If user-group is set and corresponding portal with web mode enabled in sslvpn policy, vip/vipgrp cannot be used for dstaddr;
3) If user-group is set and corresponding portal with tunnel mode enabled only in sslvpn policy, vip/vipgrp can be used for dstaddr.
Example:
If Guest-group and associated portal is 'full-access', the option to use tunnel-mode and web-mode is required.
SSL-VPN Portals are configured as following:
The policy to create:When saved, most of the time the error 'Failed to save some changes: Entry not found' will show up.Solution:Disable web-mode for desired portal.Create policy with VIP:If web-mode is used, enable it back, same way as it was disabled.
This VIP will be accessible only from tunnel-mode. So after this config, if connected to SSLVPN in tunnel-mode, it will be possible to access the server/service via that VIP.
