Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xavidpr4
New Contributor

VPN SSL group bookmark mapping

Hi, I'm configuring usergroup bookmark in VPN SSL Portals, but it's not working as expected. Here is my configuration:

 

EUREPFWMAT1 (Tecnocampus) # config vpn ssl web user-group-bookmark
EUREPFWMAT1 (user-group-bookmark) # show
config vpn ssl web user-group-bookmark
    edit "G-Bookmarks-EC_Commercial"
        config bookmarks
            edit "Commercial1Server"
                set apptype rdp
                set host "172.20.10.74"
                set server-layout failsafe
                set port 3389
            next
            edit "Commercial2Server"
                set apptype rdp
                set host "172.20.46.217"
                set server-layout failsafe
                set port 3389
            next
        end
    next
    edit "G-Bookmarks-EC_Financial"
        config bookmarks
            edit "FinancialServer1"
                set apptype rdp
                set host "172.20.46.237"
                set server-layout failsafe
                set port 3389
            next
            edit "FinancialServer2"
                set apptype rdp
                set host "172.20.46.238"
                set server-layout failsafe
                set port 3389
            nextt
        end
    next
end

 

Then I have multiple users, some of them are belong to "G-Bookmarks-EC_Commercial" and others to "G-Bookmarks-EC_Financial"

 

In VPN SSL Settings -> Portal Mapping, both groups are mapped to the same portal, named "EC_PortalCorp".

 

Finally, i have a rule that allow the VPNSSL network and both groups to access to networks 172.20.0.0/16

 

config firewall policy
    edit 1
        set name "EC_vpnsslTC_MATTOInside"
        set uuid d16741be-1eab-51e7-1cff-37cd62056087
        set srcintf "ssl.Tecnocampus"
        set dstintf "VDL_Root-TC0"
        set srcaddr "EC_vpnSSLCorp_MAT"
        set dstaddr "EC_ALL_BCN-net"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "G-Bookmarks-EC_Financial" "G-Bookmarks-EC_Commercial"
    next

 

When I log in with a user that belongs to financial group, the bookmarks inside VPN Portal are mapped, and if i log with a commercial user, the respective bookmarks are mapped too, so up to here all is OK!

 

The problem comes when I include a user (xavidpr4) in both groups. I was expecting that bookmarks from two groups were mapped, but instead of that, only one group applies. I debuged the VPN SSL login and this is the output. Seems that only match one group:

 

2017-04-13 10:51:00 [3367:Tecnocampus:2b1]deconstruct_session_id:363 decode session id ok, user=[xavidpr4],group=[G-Bookmarks-EC_Financial],portal=[EC_PortalCorp],host=[XX.YY.76.10],realm=[],idx=0,auth=16,sid=3f8ef619, login=1492073460, access=1492073460
2017-04-13 10:51:00 [3367:Tecnocampus:2ad]req: /remote/portal?access=admin
2017-04-13 10:51:00 [3367:Tecnocampus:2ad]deconstruct_session_id:363 decode session id ok, user=[xavidpr4],group=[G-Bookmarks-EC_Financial],portal=[EC_PortalCorp],host=[XX.YY.76.10],realm=[],idx=0,auth=16,sid=3f8ef619, login=1492073460, access=1492073460
2017-04-13 10:51:00 [3367:Tecnocampus:2ac]req: /remote/portal
2017-04-13 10:51:00 [3367:Tecnocampus:2ac]deconstruct_session_id:363 decode session id ok, user=[xavidpr4],group=[G-Bookmarks-EC_Financial],portal=[EC_PortalCorp],host=[XX.YY.76.10],realm=[],idx=0,auth=16,sid=3f8ef619, login=1492073460, access=1492073460

 

1 REPLY 1
bommi
Contributor III

Hi,

 

have you found any solution to this problem?

 

Best Regards

Dominik

NSE 4/5/7

NSE 4/5/7
Labels
Top Kudoed Authors