Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
david_ekstrom
New Contributor II

Help with allowing Microsoft activation

NEED:  To allow an external KMS server (we trust the external IP) to communicate back and forth with our internal server subnet for Windows activation, BUT...

 

PROBLEM: the KMS server has to see the traffic coming to it from a trusted IP-space.  Our firewall external IP is not in their trusted IP-space, and they don't whitelist IPs from other providers.  Can I put policies in place to allow the KMS server to see the IPs of our internal servers?  If so, how?

(faked IPs below)

 

KMS Server:  50.100.100.200

Our firewall External IP:  60.120.120.1   (Fortigate 200E, running FortiOS 7.0.9)

Our internal IP subnet:  172.10.10.0/255.255.255.0  (I believe this is considered trusted IP-space, as these are VMs hosted by the same company that has the KMS server)

 

I should have added, the KMS server only responds on port 1227.

 

Thanks for the help,

David

1 REPLY 1
abarushka
Staff
Staff

Hello,

 

You may consider to configure IPsec tunnel between your site and KMS site. Therefore, there will be no need in NAT/DNAT.

 

 

FortiGate