Hi Experts,
We have a Fortigate with VDOMs enabled and configured SSL VPN (Tunnel and Web Mode) on one of that VDOMs. On the SSL VPN Web Mode, bookmarks were configured to access servers using URL instead of IP address. My question is that where does the SSL VPN (Web Mode) look for URL to IP address resolution? Which DNS setting does it use? I have read that it uses the DNS configured on GLOBAL settings. If it does, is the dns server1 and dns server2 not being used for url to ip address resolution on SSL VPN Web mode?
config vpn ssl web portal
edit "Server" set tunnel-mode enable set web-mode enable set ip-pools "SSL_VPN_ADDR2" set split-tunneling disable set dns-server1 X.X.X.X set dns-server2 Y.Y.Y.Y config bookmark-group edit "gui-bookmarks" config bookmarks edit "Test_Server" set description "Test_Server" set url "http://testserver.companyname.com" next end next end set heading "Test_Server" next end
Hope someone could help me on this.
Best Regards,
Kulas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hope someone could explain me on this :(
Regards,
Kulas
Hi,
The setting of the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected in VPN IPsec or VPN SSL.
For SSL VPN:# config vpn ssl settings # set dns-suffix example.com example.org # endThe FortiGate unit should be configured with your internal DNS servers which have host names for address "domain.com" and then verified by pinging the host name from FortiGate unit CLI;config system dns set primary 192.168.1.1 }--------- Internal DNS set secondary 4.2.2.2 set domain "domain.com" end FGT# exe ping domain.com
You could also use FortiGate's own capabilities and use the FGT internal DNS instead of plain forwarding. Then you could create a zone on your FGT that knows your server dns names and voila the urls should work over the vpn.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you on this but I think I could not recommend it to our client. They just need to use their internal DNS server on every point in their network for IP resolution. I am just confused on what DNS setting of the FortiGate is being used by SSL VPN users (Web Mode). Is it the DNS configured on Global VDOM or the DNS configured on the SSL VPN setting.
Regards,
Kulas
Hi
Hi Ashu,
Thank you for this and I will try it once I get to work with the appliance tomorrow. Anyway, does it mean that the DNS used by SSL VPN was the one configured on the SSL VPN configuration and not on the Global Settings? The FG I was working on is running with VDOMs I think I couldn't change the system DNS since it is configured on GLOBAL VDOM.
Regards
Kulas
Hi ,
You can use internal DNS for SSL and one of the ISP DNS and One of the Internal DNS can be configured as system DNS .
kulas wrote:Hi Experts,
We have a Fortigate with VDOMs enabled and configured SSL VPN (Tunnel and Web Mode) on one of that VDOMs. On the SSL VPN Web Mode, bookmarks were configured to access servers using URL instead of IP address. My question is that where does the SSL VPN (Web Mode) look for URL to IP address resolution? Which DNS setting does it use? I have read that it uses the DNS configured on GLOBAL settings. If it does, is the dns server1 and dns server2 not being used for url to ip address resolution on SSL VPN Web mode?
config vpn ssl web portal
edit "Server" set tunnel-mode enable set web-mode enable set ip-pools "SSL_VPN_ADDR2" set split-tunneling disable set dns-server1 X.X.X.X set dns-server2 Y.Y.Y.Y config bookmark-group edit "gui-bookmarks" config bookmarks edit "Test_Server" set description "Test_Server" set url "http://testserver.companyname.com" next end next end set heading "Test_Server" next end
Hope someone could help me on this.
Best Regards,
Kulas
FortiOS 5.6.4
I have a bookmark in SSL Web portal for an internal machine, I am using FQDN (eg: myserver.domain.local) instead of IP address & it is working fine for me.
First of all you should try if the FGT can even resolve the internal domain?
From the CLI try executing the ping command to see if the FGT resolves the internal domain at all:
#execute ping myserver.domain.local
If the FGT can resolve the name, then the bookmark will also work. I did not mention any DNS server under the config vpn ssl web portal section! Normally you do not need it. You only need to specify in case you want to override the FGTs internal DNS configuraton.
Also, in the SSL VPN Web mode, the FQDN-bookmarks are resolved by FGT & not the client. Client will use the FGT as a proxy to access the bookmark resources.
Sidenote:
I have FGT configured as a slave DNS server for my internal domain. Ref: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-networking-54/DNS%20Services/DNS%20Se...
This means:
FGT will use my internal network DNS server to resolve the domain.local & will use the FortiGuard DNS servers for all other domains (eg: x.com, y.x.com, anything.org etc.)
In FortiOS 6.0 you could try the Split-DNS feature ;)
Hope it helps!
Regards,
Prab :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.