Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ElizabethC
New Contributor II

Created on ‎02-27-2024 12:48 PM

Help using internal DHCP server to assign IP addresses

Split-tunnel SSL-VPN is working fine for the users, with no access issues. However the FortiGate is assigning the IP address instead of our internal DHCP server so devices are not being listed on our DHCP server and are not getting a record in DNS. I cannot manage the machines as I need to. They're basically invisible everywhere except on the FortiGate. How do I pass the responsibility for assigning IP addresses to our internal DHCP server? Our domain controllers are on xxx.xxx.1.x and the FortiGate is assigning xxx.xxx.10.x. A DHCP scope has been setup for the .10 addresses although obviously it's empty.  

 

I am not a FortiGate expert, but there have been many calls with both Fortinet support and local IT support and they both just keep poking at things hoping something works. Hopefully there's enough info in the images to help. Thank you.

 

SSL-VPN Settings 1.jpg

Labels:
507
0 Kudos
5 REPLIES 5
adambomb1219
SuperUser
SuperUser

Created on ‎02-27-2024 01:29 PM

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215...

490
JAlesi
New Contributor

Created on ‎02-27-2024 01:42 PM

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215...

I believe this tech document may help to achieve what you are looking for.  Be aware that this is a fairly newly implemented feature (as of 7.2.4) and I have also seen other users on various forums stating that they had some issues with this setup as well, so your mileage may vary. HTH!

485
ElizabethC
New Contributor II

Created on ‎02-29-2024 09:50 AM

Fortinet support just reminded me that they had already tried that option and the problem is with DHCP. 

"Regarding article "https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215...", we already created a test SSLVPN user "fortinet" and assigned it "DHCP_Tunnel" for testing external DHCP server during our previous session. However, we noticed that [your internal] DHCP server xxx.xxx.1.x is not sending DHCP-Offer for the DHCP-Discover sent by Fortigate. Please investigate this issue on DHCP server."

393
hbac
Staff
Staff
In response to ElizabethC

Created on ‎03-01-2024 07:17 AM

Hi @ElizabethC,

 

If your configuration is correct based on that article, it should work. Please check on the DHCP server to see why it is not sending DHCP offer. 

 

Regards, 

371
ElizabethC
New Contributor II

Created on ‎03-04-2024 08:09 PM

The network engineer got this working today. It was not straightforward and I'm posting this info here in case it might help someone else figure it out.

 

SSL VPN Portal Changes:
    Changed SSL VPN Portal “set ip-mode” setting to “set ip-mode dhcp”
    Added command set dhcp-ra-giaddr to [SSL-VPN subnet]

 

Ssl.root interface changes:
    Added “set dhcp-relay-service enable” command

    Added “dhcp-relay-ip "[internal DNS server IP address]” command

 

DHCP changes:
    Added [SSL-VPN subnet/24] scope into DHCP on [domain server].DOMAIN.COM
    Globally changed DNS method to always update on all scopes on both domain controllers

 

DNS changes:
    Added [SSL-VPN subnet/24] reverse lookup zone

 

Enabled RDP between connected computers on SSL VPN by adding the following access policy: 
        set srcintf "ssl.root"
        set dstintf "ssl.root"
        set action accept
        set srcaddr "N-[custom] SSL VPN Subnet"
        set dstaddr "N-[custom] SSL VPN Subnet"
        set service "RDP"
        set groups "[custom]-SSLVPN-SSO"
306
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.