Fortinet Community

mackdav · ‎11-25-2013

Greetings, If I have two security groups that are not permitted to access each other' s networks, and both are using SSL-VPN to connect, is there a way to provide each group with their own unique DNS server and suffix information when they connect in?

oheigl · ‎12-04-2013

Hi, I' m not quite sure about it, but you can configure DNS servers in the CLI for a portal. For example: config vpn ssl web portal edit <portalname> config widgets edit <numberoftunnelwidget> set dns-server1 set dns-server2 end end You can try it, if it doesn' t work, you need to create seperate VDOMs for every portal

rwpatterson · ‎12-04-2013

I think having unique DNS servers is less of an issue. Even if they can resolve the unneeded names, it' s the access to them that each login should prevent. So using the same DNS but blocking access should be the goal. My 2 cents.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

mackdav · ‎03-12-2015

I ended up hacking the problem another way.

I created a "common" network that all VPN clients have access to, and placed a DNS server on that network, setting all VPN clients to use that DNS server while connected. The DNS server knows about the domains that individual clients will request, and forwards requests to servers on the appropriate client network. The firewall has ACLs to permit the DNS server to query the client networks DNS servers.

Downside to this solution is I can't push a dns suffix to clients, but other than that it works properly.

Fortinet Community

SSL VPN DNS Servers