Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Internet connection from SSL VPN Client

Hi, I try to connect to internet when I start a SSL VPN but it’s not possible. The connection is correct thought the client and the LAN but I’m unable to navigate in internet. It’s possible to navigate when the client is connect to the lan thought SSL VPN? How I can do it? It is possible directly connect to internet by the client without pass from SSL VPN? Else how can I do it thought the SSL VPN connection thought LAN Thank you Agostino
6 REPLIES 6
Not applicable

FortiGate SSL VPN Settings > Portal > Edit > Settings > Second TAB > Enable Split Tunneling. That should do the trick ...
Not applicable

I had the same issue, and after I enabled Split Tunneling, I lost access to my Internal Network because the primary DNS is now my ISP. resolving Internal host names now goes out to the public Internet instead of inside my network. How do I allow for that ?
grindcore888
New Contributor

thx marcel, just waht I was looking for, thank you
wcbenyip
New Contributor III

Pete Eicher: Besides enabling the Split Tunneling, I just want to figure out two points you should notice - 1/ For Internal host access --- An " ACCEPT" policy fr. ssl.root -> port1(LAN) should be created to allow traffic from your SSLVPN clients (by IP range or subnet) to access internal network resources (by IP range or subnet). 2/ For Internet access --- An " SSL-VPN" policy fr. port2(WAN) -> port1(LAN) should be created to allow traffic from your SSLVPN clients (by IP range or subnet) to access the INTERNET resource via your company' s Internet connection! BTW: Under the above setting, if your user want to just using their home Internet connection to access the Internet instead of using the company' s connection (that' s real case... as some users like the MIS staff, don' t want to be controlled by the company firewall for their usual Internet Browsing during working with the co. stuff at the same time), ALL they need to do is, create a separate default route 0.0.0.0/0.0.0.0 point to their own connection gateway (not the co. one), and make sure that there is another route to force the traffic of company subnets using the given SSLVPN IP.
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
FortiRack_Eric
New Contributor III

For Internet access (not using split tunnel): to allow internal access for connected clients the fw rule should be: ssl.rool (ssl-segment) wan1 (all) NAT (allowed services) (protection profile) ACCEPT Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
rwpatterson

I believe he means
For Internet access (not using split tunnel): to allow Internet access for connected clients

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors