Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Help using internal DHCP server to assign IP addresses

Split-tunnel SSL-VPN is working fine for the users, with no access issues. However the FortiGate is assigning the IP address instead of our internal DHCP server so devices are not being listed on our DHCP server and are not getting a record in DNS. I cannot manage the machines as I need to. They're basically invisible everywhere except on the FortiGate. How do I pass the responsibility for assigning IP addresses to our internal DHCP server? Our domain controllers are on and the FortiGate is assigning A DHCP scope has been setup for the .10 addresses although obviously it's empty.  


I am not a FortiGate expert, but there have been many calls with both Fortinet support and local IT support and they both just keep poking at things hoping something works. Hopefully there's enough info in the images to help. Thank you.


SSL-VPN Settings 1.jpg


New Contributor

I believe this tech document may help to achieve what you are looking for.  Be aware that this is a fairly newly implemented feature (as of 7.2.4) and I have also seen other users on various forums stating that they had some issues with this setup as well, so your mileage may vary. HTH!

New Contributor II

Fortinet support just reminded me that they had already tried that option and the problem is with DHCP. 

"Regarding article "", we already created a test SSLVPN user "fortinet" and assigned it "DHCP_Tunnel" for testing external DHCP server during our previous session. However, we noticed that [your internal] DHCP server is not sending DHCP-Offer for the DHCP-Discover sent by Fortigate. Please investigate this issue on DHCP server."


Hi @ElizabethC,


If your configuration is correct based on that article, it should work. Please check on the DHCP server to see why it is not sending DHCP offer. 



New Contributor II

The network engineer got this working today. It was not straightforward and I'm posting this info here in case it might help someone else figure it out.


SSL VPN Portal Changes:
    Changed SSL VPN Portal “set ip-mode” setting to “set ip-mode dhcp”
    Added command set dhcp-ra-giaddr to [SSL-VPN subnet]


Ssl.root interface changes:
    Added “set dhcp-relay-service enable” command

    Added “dhcp-relay-ip "[internal DNS server IP address]” command


DHCP changes:
    Added [SSL-VPN subnet/24] scope into DHCP on [domain server].DOMAIN.COM
    Globally changed DNS method to always update on all scopes on both domain controllers


DNS changes:
    Added [SSL-VPN subnet/24] reverse lookup zone


Enabled RDP between connected computers on SSL VPN by adding the following access policy: 
        set srcintf "ssl.root"
        set dstintf "ssl.root"
        set action accept
        set srcaddr "N-[custom] SSL VPN Subnet"
        set dstaddr "N-[custom] SSL VPN Subnet"
        set service "RDP"
        set groups "[custom]-SSLVPN-SSO"
Top Kudoed Authors