Hello to everyone reading my first post!
I have an issue setting up my SSL-VPN with a FortiGate 40F through Nginx Reverse Proxy.
This is a new setup and it hasn't worked before.
My desired setup is being able to connect to SSL-VPN with FortiClient on port 443, which is forwarded to my Nginx ReverseProxy server. My reverse proxy server will encrypt the traffic using a Let's Encrypt wildcard certificate and forwards the traffic to the internal interface of my FortiGate on port 1443 for example.
The traffic redirect works on the reversed proxy, if I browse to the VPN domain on the internet, I get (as expected) the web-access page of FortiGate SSL-VPN, traffic encryption works as well.
Connecting to the VPN with port 1443 directly on the FortiGate works as well, just not encrypted with my own certificate.
The policy's from interface to interface are on allow all and works. When I connect to the VPN through port 443, it gets to 98% and then times-out. The FortiGate logging says everything is ok, as the Nginx server says, but it still times out.
The benefits of using this setup (for me);
- Managing verified SSL certificates on 1 server with autorenew.
- Using the default port for SSL-VPN traffic.
- Being able to control this using ACL's on policy's.
I only have 1 public IP-address and I am not able to add another.
My guess is that the Reversed proxy config doesn't work for this setup.
Who is able to help me? Thanks in advance!
Kind regards,
Thomas Gielen
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 02-25-2022 06:29 PM
Hello @bahama03
Thank you for posting to the Fortinet Community Forums. We appreciate your patience. We will have someone soon helping you with this query.
Hell Thomas,
I am not sure I correctly understand the desired topology.
Could you please attach a network diagram with IP addresses and connections, to get the idea?
Thanks,
Jakub
Hi Jakub!
Thank you for your response!
Hereby a simplified network diagram of my situation. A picture can be found at the bottom of this message
So the desired diagram is;
Remote computer connects to vpn.<domain>.com -> FGT forwards to webserver -> Webserver encrypts traffic and redirect back to internal interface of FGT on VPN port 1443.
The forward and redirect works, if I browse to https://vpn.<domain>.com in my webbrowser, I get the webinterface of FGT SSL-VPN. The connect and auth with FortiClient works as well, I get past 45% (authentication), but crashes at 98%. I think I am missing something in my Nginx config, like header things.
Did I answer your question with this?
I hope to hear from you. Thanks in advance.
Kind regards,
Thomas
Hello Thomas,
If I am correct the 172.16.20.x is the network configured on the internal interface, right?
FortiGate listens on some wan interface with another IP, correct?
And you are trying to connect to this wan IP (which is represented by VPN.<domain>.com) with the FortiClient on port 443, but it stops on 98 % and after some time fails, correct?
But what is not clear to me what you mean by " FGT forwards to webserver ".
Anyway, probably the issue, is that you just simply cannot connect with the FortiClient to the VPN, correct?
Could not the issue be with the dual-stack?
Can you try disabling IPv6, as per this KB:
Regards,
Jakub
Hi Jakub,
IPv6 is disabled and therefore not the problem.
Sincerely,
Thomas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.