Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
djg
New Contributor

Created on ‎05-22-2017 01:53 AM

SSL-VPN Realm - issue with setup...

We are trying to implement SSL-VPN Realms and are running into an issue.

 

When we try to create a new realm, the URL defaults to the inside interface. We have tried to find a way to manually change the URL to use the correct interface, which is actually the DMZ interface (that interface is the connection to the outside, we are behind another firewall).

 

[ul]
  • We have SSL-VPN Web Portal working fine. We are able to access and use the portal fine. We are just having issues with implementing realms.
  • The DMZ-interface is defined in the SSL-VPN settings as the interface to listen on, and again, it is working fine.
  • The issue is when we create a new realm, it listens on the inside interface.[/ul]

    We have searched in both the GUI and CLI and it does not seem there is a way to manually define the complete URL. Also, we are unable to locate anywhere to manually set the interface that the SSL-VPN Realm uses. We are unable to determine why it is defaulting to the inside interface even though in the SSL-VPN settings it is listening on the DMZ-interface.

     

    We also created a ticket with Fortinet and hope they will have an answer. Just thought we would reach out to the forum to see if anyone else has run across this issue and found a solution. If we resolve the issue with Fortinet, we will post the fix here.

     

    THANKS!

    • 9518
    0 Kudos
    7 REPLIES 7
    djg
    New Contributor

    Created on ‎05-22-2017 07:36 AM

    We were able to resolve the issue by deleting and recreating the realms and recreating the Authentication/Portal mappings under SSL-VPN settings.

    4102
    0 Kudos
    Toshi_Esumi
    SuperUser
    SuperUser

    Created on ‎05-22-2017 08:21 AM

    Sounds like a bug but what's the model and os version?

    4103
    0 Kudos
    emnoc
    Esteemed Contributor III
    In response to Toshi_Esumi

    Created on ‎05-22-2017 08:43 AM

    I don't think this is a bug btw, how did you set the realm ? And do  you have any auth-rules ? 

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    4103
    0 Kudos
    djg
    New Contributor
    In response to emnoc

    Created on ‎05-22-2017 11:07 AM

     I should have been more clear in my previous posts, sorry.

     

    We had an SSL-VPN setup with a realm for mobile client users setup and working. On Friday, it just stopped working.

     

    Specifically, IOS devices were unable to connect via the Forticlient using the realm set for tunnel mode. Android Forticlient users were still working on that realm and so were the SSL-VPN Web users that connected via browser. After a reboot of the firewalls, no mobile client users were able to connect but the SSL-VPN Web users still working fine.

    While troubleshooting the issue, we noticed that the link shown for the URL was referencing the inside interface. We had mistakenly thought this was specifying the actual URL users were supposed to use to connect, but it turned out to be just an example URL. This is why the post referenced manually setting the interface for the URL.

     

    We later determined the example URL was based on the interface you logged into the firewall on:

     

                           

     

    And confirmed by accessing from a different interface:

     

     

    We confused the example URL as an informative section like the SSL-VPN port listened on set under the SSL-VPN settings page:

     

     

     

    As part of our troubleshooting process we deleted/recreated the SSL-VPN realms and deleted/ recreated the users/groups under Authentication/Portal Mapping on the SSL-VPN Settings page. We had not noticed this had resolved the issue as we were focused on the non-issue of the example URL.

     

    I hope this clears up any confusion.

    4103
    0 Kudos
    Edwin1
    New Contributor
    In response to djg

    Created on ‎10-22-2019 01:41 AM

    Thanks DJG,  3

     

    i had the same issue

    4103
    0 Kudos
    djg
    New Contributor
    In response to Toshi_Esumi

    Created on ‎05-22-2017 09:18 AM

    Model: FortiGate 500D

    FW Version: v5.4.4,build1117 (GA)

    4103
    0 Kudos
    emnoc
    Esteemed Contributor III
    In response to djg

    Created on ‎05-22-2017 09:49 AM

    I'll test it  for you later tonight. What interfaces do you have    SSLvpn enabled on?  ( i'm assuming more than one )

     

    Ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    4103
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.