Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortiFWuser
New Contributor III

URL through SSL VPN

Hello, 

 

I have this scenario

The users have a specific URL that needs to be accessed via a specific public IP 

The public IP is that of the company. 

 

So when a user connects to the SSL VPN that it is not full tunnel, what are the options available for the user to have the public IP for that specific URL?

 

I see that the tunnel mode of the portal takes only IP 

 

Thanks and regards, 

Konstantinos

5 REPLIES 5
AEK
Contributor II

If the IP is public then why VPN is needed? since public IP is intended to be accessed on internet without VPN.

fortiFWuser
New Contributor III

Hello 

 

The URL is accessed ony by whitelisted IPs 

It is a corporate one. 

So the user can only access it through VPN

 

 

Debbie_FTNT

Hey fortiFWuser,

just to make sure we understand:

- you have a server behind a public IP

- the server's URL resolves to this public IP with any public DNS

-> with your internal DNS, the URL resolves to an internal IP?
- you have a policy in place to only allow access to this public IP from specific sources, such as VPN IP range

To access the server, your users need the following:
1. Be connected to VPN

2. Resolve the server's URL to its public IP

3. Have a route to that public IP through VPN

4. Access the server on its public IP through VPN (with VPN source IP)

Is this correct?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
fortiFWuser

Hello @Debbie_FTNT 

 

The URL that accepts only whitelisted IP is not in my company. 

It is a service accessed by my company. 

 

So the scenario is as follows
I have a user connected to the VPN of my company.

I would like to have internet from his provider, but when he tries to access that specific URL to do it through the VPN in order to have the public IP of my company. 

 

 

Debbie_FTNT

Hey FortiFWuser,

thank you for clarifying the scenario, I was a bit confused by your initial description.

In this case, the solution is fairly simple, assuming that service has a static IP (or IP range)

-> add the public IP (range) for this service to the split-tunneling destinations of your VPN

-> create a policy from SSLVPN interface to WAN, and destination the service's IP (range); enable NAT

It should go something like this then:
- a VPN user tries to access the URL

- their host will look up the IP

- the host will check routing table and find a specific route to the IP via VPN

-> traffic goes into VPN tunnel

- on FortiGate, traffic should match the policy from VPN to WAN

- the request should go out the FGT WAN interface with the FGT public IP

 

If the service doesn't have a static IP or range, it may not be possible; FQDNs can't be added to VPN split-tunneling at the moment, so you would have to disable split-tunneling or try to figure out a workaround to force the traffic via VPN tunnel when we can't provide a simple static route via VPN.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++