| Description |
This article describes how to configure FortiGate to securely access the Internal Application running on private IP from Internet.
Diagram:
Use case:
1) To require access to corporate Application from Internet.
2) It is necessary to grant third party or customer access to internal application. |
| Scope |
|
| Solution |
To configure a FortiGate to grant access to the internal App.
From Internet, DNAT (Destination NAT) is required- when is going to translate the Public IP and may be port that you pointed to behind Internet to the real IP and real port (if port is also hidden from outsider).
Two things are required to configure this solution: User account and VIP.
This example assumed that a user account (local, radius, ldap etc) is already obtained, which FortiGate can use to authentication user.
Configure VIP:
Go to Policy & Objects -> Virtual Ips and select 'Create New'. Fill appropriate parameters (see example below).
Configure Firewall Policy to permit traffic from Internet to the VIP object and add users/group to be permitted by this policy.
Go to Policy & Objects -> Firewall Policy and select 'Create New'. Fill appropriate parameters (see example below).
It is necessary to make below modification under 'user settings' since the application is running on non-standard port (tcp 5201 in this case), if not the policy will NOT match and it will get denied by implicit policy (drop).
# config user settin # config auth-port edit 1 set port 5201 <----- This is the mapped-to port in the VIP object. next end end |
