Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Without that routing statement, the SSL ain' t gonna happenInteresting. I know that you don' t write Fortigate documentation, but are you aware that there is no mention of creating a route of any kind in any of the Fortigate documentation on setting up an SSL network?
How far along in the process do you get?It' s hard to characterize.
Basic rule: if your network range is 192.168.0.0/24 then any of your remote connections/networks are NOT. A SSL connection is a remote connection. So you define your SSL range like 172.19.1.0/24 then you can setup a routing to the ssl.root interface.OK, I see I made a mistake. If you read the documentation carefully it does say that. However, I have the Fortigate managing an IPSec VPN which assigns IP addresses in my internal network range, and it seems to me that IPSec is a remote connection. So, starting again using 192.168.32.1-192.168.32.255 as my tunnel IP range and 192.168.0.0/24 is my internal network range. Let' s dive into Basic SSL Setup.pdf. " Under Advanced, define any internal DNS or WINS servers present in your network, ..." . OK, 192.168.0.250 is my DNS and WINS server, so enter that twice. Set up a user and user group ... check. I have LDAP working for IPSec but for now I' m just trying to get this going with a locally defined user. Define a firewall policy. Set the Source Interface to the interface that connects your FortiGate unit to the Internet .. OK, Wan1. Set the Source Address to all. Set the Destination Interface to the interface connected to your internal network ... OK, internal. Set the Destination Address to all. Set the action to SSL-VPN. Select the user group that you just added in the list on the left and select the right arrow to add that user group to this policy. Select OK. " Error: Destination address of split tunneling policy is invalid" . OK, turn off split tunneling for that user group, although I' ll certainly need it to put this into production, I' m not going to feed all traffic from a user in Israel or India or the Ukraine through me. Off to another tab to test ... OK, I can log in, and I can initiate tunnel mode and get connected. According to the manual " Access at this point requires either that users know the IP addresses of internal servers, or that your DNS server is configured to resolve internal machine names, also called netbios names, of those servers." Well, my DNS server at 192.168.0.250 is configured to resolve NetBIOS names, but let' s go to http://192.168.0.250 in a new tab. Internet Explorer cannot display the webpage. Ipconfig /all yields: PPP adapter fortissl: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : fortissl Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.32.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 DNS Servers . . . . . . . . . . . : 192.168.0.250 Primary WINS Server . . . . . . . : 192.168.0.250 Secondary WINS Server . . . . . . : 192.168.0.250 NetBIOS over Tcpip. . . . . . . . : Enabled Back to the " Welcome to SSL-VPN Service" tab. Test for reachability 192.168.0.250 returns reachable. Connect to Web Server 192.168.0.250 opens a new window with Remote Web Workplace displayed and https://192.168.16.16:10443/proxy/http/192.168.0.250/ in the address bar. Click on My Company' s Internal Web Site: Internet Explorer cannot display the webpage. https://192.168.16.16:10443/proxy/http/companyweb in the address bar. Gosharootie, seems to me that this is pretty useless and not operating as advertised. This message is a tad long, so I' ll continue on the next rock ...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.