Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bahama03
New Contributor

FortiGate SSL-VPN

Hello to everyone reading my first post!

 

I have an issue setting up my SSL-VPN with a FortiGate 40F through Nginx Reverse Proxy.

This is a new setup and it hasn't worked before.

 

My desired setup is being able to connect to SSL-VPN with FortiClient on port 443, which is forwarded to my Nginx ReverseProxy server. My reverse proxy server will encrypt the traffic using a Let's Encrypt wildcard certificate and forwards the traffic to the internal interface of my FortiGate on port 1443 for example.

The traffic redirect works on the reversed proxy, if I browse to the VPN domain on the internet, I get (as expected) the web-access page of FortiGate SSL-VPN, traffic encryption works as well.

Connecting to the VPN with port 1443 directly on the FortiGate works as well, just not encrypted with my own certificate.

The policy's from interface to interface are on allow all and works. When I connect to the VPN through port 443, it gets to 98% and then times-out. The FortiGate logging says everything is ok, as the Nginx server says, but it still times out.

 

The benefits of using this setup (for me);

 - Managing verified SSL certificates on 1 server with autorenew.

 - Using the default port for SSL-VPN traffic.

 - Being able to control this using ACL's on policy's.

 

I only have 1 public IP-address and I am not able to add another.

My guess is that the Reversed proxy config doesn't work for this setup.

 

Who is able to help me? Thanks in advance!

 

Kind regards,


Thomas Gielen

Kind regards,

Thomas Gielen
Kind regards,Thomas Gielen
5 REPLIES 5
Anonymous
Not applicable

Hello @bahama03 

 

Thank you for posting to the Fortinet Community Forums. We appreciate your patience. We will have someone soon helping you with this query.

jangelis
Staff
Staff

Hell Thomas,

I am not sure I correctly understand the desired topology.

Could you please attach a network diagram with IP addresses and connections, to get the idea?

Thanks,

Jakub

Jakub Angelis
bahama03
New Contributor

Hi Jakub!

 

Thank you for your response!

 

Hereby a simplified network diagram of my situation. A picture can be found at the bottom of this message

So the desired diagram is;

Remote computer connects to vpn.<domain>.com -> FGT forwards to webserver -> Webserver encrypts traffic and redirect back to internal interface of FGT on VPN port 1443.

The forward and redirect works, if I browse to https://vpn.<domain>.com in my webbrowser, I get the webinterface of FGT SSL-VPN. The connect and auth with FortiClient works as well, I get past 45% (authentication), but crashes at 98%. I think I am missing something in my Nginx config, like header things.

 

Did I answer your question with this?

I hope to hear from you. Thanks in advance.

 

Kind regards,

 

Thomas

Simplified topology of Remote VPN.png

Kind regards,

Thomas Gielen
Kind regards,Thomas Gielen
jangelis

Hello Thomas,

If I am correct the 172.16.20.x is the network configured on the internal interface, right?

FortiGate listens on some wan interface with another IP, correct?

And you are trying to connect to this wan IP (which is represented by VPN.<domain>.com) with the FortiClient on port 443, but it stops on 98 % and after some time fails, correct?

But what is not clear to me what you mean by " FGT forwards to webserver ".

Anyway, probably the issue, is that you just simply cannot connect with the FortiClient to the VPN, correct?

Could not the issue be with the dual-stack?

Can you try disabling IPv6, as per this KB:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-DNS-issue-with-FortiClient-SSL-VPN-when-...

 

Regards,

Jakub

 

Jakub Angelis
bahama03
New Contributor

Hi Jakub,

 

IPv6 is disabled and therefore not the problem.

 

Sincerely,

 

Thomas

Kind regards,

Thomas Gielen
Kind regards,Thomas Gielen
Labels
Top Kudoed Authors