We have decided to do a phased roll out of ForiClient VPN for our users. The first phase (which we are in) is to let everyone do SSL VPN just like they were doing on our old Cisco VPN. I have that working however, we found that one of our domain name is not getting routed correctly.
Our hosts are in AWS and if the host if fronted by an ALB it will get domain name like externalhost.com. Which is also put into route53. I need all look ups for that domain name to be done over the internet (not through our internal DNS servers). An external DNS lookup would return the external IP address and then route the traffic correctly.
Whats the easiest way to make that happen?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think you are looking for Split-DNS
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/988717/ssl-vpn-split-dns
In my portals I already have
config split-dns
edit 1
set domains "example.net,example.com,example01.com"
set dns-server1 10.100.1.99
set dns-server2 10.101.1.99
next
and that is not doing it. Inside the portal config I found you could also add
set dns-suffix "example.net,example.com,example01.com"
and
set split-tunneling enable
Even with all this its not working. When I VPN in and I am hitting this portal if I do:
nslookup newexample.com
The internal DNS servers return the internal address not the external one.
I thought I read something about policy based dns lookups.
What seems to be working is to setup split-tunnel and split-tunnel-dns in the portal. Then in the SSL-VPN Settings set DNS Server = Same as client system DNS.
Whats weird with this setup is that if I do an nslookup of an internal only FQDN host it fails. But if I ssh to that same hostname that successes. I am not sure if that will effect us in the future but its is something to keep in mind.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.