Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Everstay
New Contributor II

Created on ‎03-12-2024 01:22 AM Edited on ‎03-12-2024 01:25 AM

Fortinet VPN/DMZ - local website accessible from outside of network

Hello,

 

Im unsure how to properly word my question so bare with me.

 

We're currently running Fortigate as our firewall and vpn to which we connect from outside of our network to work remotely when needed. We're also in process of implementing an employee web panel, which needs to be accessible from outside of our network.

 

Im new to fortinet and unsure how to properly set it up. We have a public ip that we use for vpn connections, and I'd like to use that ip address to redirect web traffic from specific port to local ip

 

Example:

local web panel address: 10.1.2.63 (running default on port 8080 (this will be changed at later date - lets use this as example though)

public vpn ip address (not actual, just random for example purposes): 83.0.109.50.

 

Now, what do i need to do to be able to use 83.0.109.50:8080 outside of my network to access that web panel (83.0.109.50:8080 will point to 10.1.2.63 locally)

 

Please feel free to ask any questions for information i might've missed.

Many thanks for your assistance!

 

 

Labels:
1046
0 Kudos
25 REPLIES 25
Everstay
New Contributor II
In response to ozkanaltas

Created on ‎03-12-2024 03:48 AM

Everything seems to be okay - i've changed the webservers port to 80 just to be sure and it worked, maybe there was something going on with port 8080. I've applied same rules for vip but with port 443 for ssl - is this enough to provide users with the panel that has ssl?

367
0 Kudos
ozkanaltas
Contributor III
In response to Everstay

Created on ‎03-12-2024 03:58 AM Edited on ‎03-12-2024 03:58 AM

If your FortiGate management interface or SSL-VPN does not use the 443 port. You can use this port. 

 

If the 443 port is used for any services on your FortiGate, you can't use the 443 port.

 

Also, you can use port translation on VIP configuration. For example image.png

 

Your service still running on 443 port but your client can access to this service with 8443 port from outside.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
362
Everstay
New Contributor II
In response to ozkanaltas

Created on ‎03-12-2024 06:03 AM Edited on ‎03-12-2024 06:03 AM

I have it set up like this right now. Is this correct? My ssl-vpn is running under 11443 port so i used 443 for www. Of course i also added the Clone of www to the firewall destination too 

123.png

351
ozkanaltas
Contributor III
In response to Everstay

Created on ‎03-12-2024 06:25 AM

If your FortiGate web UI does not use the 443 port, this configuration is also ok. 

 

It should be working. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
345
Everstay
New Contributor II
In response to ozkanaltas

Created on ‎03-12-2024 06:27 AM Edited on ‎03-12-2024 06:29 AM

Okay, in that case when i go through http:// the website loads, https:// i get domain.com refused to connect :( Im unsure where to look - can this be caused by the webserver too, or is it strickly forti config i need to focus on?

 

Below are ssl-settings tab

ssl.png

343
0 Kudos
ozkanaltas
Contributor III
In response to Everstay

Created on ‎03-12-2024 06:29 AM

I think you should review the web server configuration. 

 

Does it work properly in the local network?

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
340
Everstay
New Contributor II
In response to ozkanaltas

Created on ‎03-12-2024 06:33 AM

So this doesnt really matter in my scenario?

ssl.png

335
0 Kudos
ozkanaltas
Contributor III
In response to Everstay

Created on ‎03-12-2024 06:40 AM

No, because ssl-vpn works on different ports. 

 

You need to check also FortiGate web GUI port settings. This configuration is under the System -> Settings menu. If you see anything about 443, you need to change this setting or your web server vip port configuration should be different than 443 port.

 

image.png

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
331
0 Kudos
Everstay
New Contributor II
In response to ozkanaltas

Created on ‎03-12-2024 06:50 AM

Okay, yes there was HTTPS port of 443. I changed my vip port to 12443 - now i get domain.com took too long to respond when trying to connect through https

325
0 Kudos
ozkanaltas
Contributor III
In response to Everstay

Created on ‎03-12-2024 06:55 AM

I'm glad it worked. :) 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
319
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.