Description
This article describes how to make the web mode SSL VPN resolve the internal DNS.
Scope
FortiGate and SSL VPN Web Mode.
Solution
When connected by Web Mode of SSL VPN FortiGate acts as a proxy server. This means the request from the SSL VPN web mode user will be sent to FortiGate and a separate request will be opened on FortiGate to the destination.
It will result that on the FortiGate, for the second session, it will be self-originating traffic:
SSL VPN user===========FortiGate {Session 1}
FortiGate==============Destination behind FortiGate interface{Session2}
So, any traffic that will be passing for session 2 will check the FortiGate DNS server when trying to resolve the DNS query and not the DNS settings on SSL VPN settings.
If trying to access a bookmark/URL using the quick connection, the URL will be resolved through internal DNS. FortiGate will try to look for the IP address in FortiGate's DNS, and if both primary and secondary are public or the FortiGuard servers the following error will appear:
To resolve this issue make sure that one of the DNS servers has internal DNS to resolve it and a DNS local name and if the Internal DNS server cannot resolve the internet queries mention a public DNS to resolve internet queries.
Example: under Network -> DNS:
And if the Internal DNS can resolve internet queries then do not mention it as the internal DNS which will be able to resolve the internet and Web Mode DNS (internal) queries.
From CLI:
config system DNS
set primary 8.8.8.8 <- To resolve internet queries.
set secondary 10.10.10.25 <- To resolve internal queries.
set domain "local.fgt"
end
When the VDOM is enabled make sure to have the internal DNS server and local domain name configured on the global VDOM Network -> DNS.
It is now possible to access internal resources configured on the web portal.
