|
When SSL VPN users connect to FortiGate via SSL VPN to access internal resources and use the SSL VPN connection to access the Internet with an explicit proxy rule (Technical Tip: How to Configure SSL VPN as an Explicit Proxy), it is possible to observe different users with the same SSL VPN IP address.
It is important to note that proxy authentication and SSL VPN authentication are managed by separate mechanisms and processes in FortiGate. As a result, proxy authentication maintains a distinct user list, separate from other authentication sources like SSL VPN, FSSO, or captive portal. For further details, refer to this documentation:
Technical Tip: FortiGate explicit proxy authentication and SSL VPN
When the SSL VPN user connects, FortiGate assigns a unique IP address that is not shared with other users. If the same IP address appears in the proxy list for different users, it likely indicates that the SSL VPN user disconnected, and the IP address became available for others. Therefore, the proxy list might show the same IP for multiple users, but only one user holds this IP from the SSL VPN’s perspective.
Since proxy authentication operates separately, it is advisable to expire proxy connections after a period of inactivity. This can be configured with the following commands:
config system global
set proxy-auth-lifetime enable
set proxy-auth-lifetime-timeout 10
set proxy-keep-alive-mode traffic
end
This configuration closes the proxy connection if no user traffic is detected for 10 minutes. For additional details, refer to:
Technical Tip: Proxy users lifetime control
|
