Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MacFort
New Contributor

100F - GPO's not applying on remote site

Hello

I am not very knowledgeable Re: router configs

Just want to understand an issue we have.

Just applied a GPO on our internal LAN but apparently the pc's than connect to us via vpn

do not get it applied.  All the vpn config was set up by vendor.  I believe i am referring to pc's which connect via site to site vpn to our main office

Not sure if it could be a DNS issue which brings me to something I would like to be clear on:

What is the difference (or use of) the network/DNS settings vs the nework/interface settings?

In the former we have the default DNS servers in the latter we specified the internal LAN DNS servers

Thank you 

 

5 REPLIES 5
gfleming
Staff
Staff

You'll need to use your AD DNS servers for remote VPN clients if you want them to get GPO updates.

 

You can either use DNS Split Tunneling or better yet just configure the DNS servers in the VPN Client settings. You'll also likely need to add your domain suffix in the CLI as well:

 

config vpn ssl settings
  set dns-suffix 'yourdomain.com'
Cheers,
Graham
MacFort

Thank you for replying!

I will try that.  Could you please tell me what the difference is in configuring DNS settings in 

Network/DNS vs Network/Interface? or when one is used vs the other?

Thank you 

 

gfleming

Network -> DNS:

 

Tells the FortiGate which DNS servers to use for its own connectivity (i.e. reaching FortiGuard servers, etc). Or, for endpoints using the FortiGate as a DNS resolver (configured in Network -> DNS servers)

 

Network/Interface:

I'm not too sure what you're referring to here. Perhaps the DNS server configured under the DHCP Server settings on the Interface? In this case, it's the DNS server assigned to endpoints that are using DHCP to get an IP address from the FortiGate.

 

 

 

 

Cheers,
Graham
MacFort

Hello

Thank you for your reply.  Yes I was referring to the DHCP section.  So for our relote office location what/where should their DNS settings look like?  Should they have Network/DNS and specify our main office internal DNS servers? or do they also need DHCP (dns servers) configured pointing to our main office dns servers?

Thanks

gfleming

This is a network design question which depends on a lot of factors specific to your own environment. It's kind of over the scope of a Fortinet support forum.

 

However, yes, setting the DHCP scope of the remote office to include your main office DNS servers will work fine. Assuming of course you have connetivity from the remote office to the main office DNS servers. And keeping in mind you will not have any local DNS resolution if the WAN is down. Again this is a design question you need to consider for your own environment.

 

FortiGate can act as a DNS server and can use BIND secondaries to sync with your AD DNS for local resolution.

 

It can also forward on behalf of your clients to your main site DNS servers.

 

Lots of options. You just need to figure out your design first and then configure the FortiGate accordingly.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors