?? what' s exactly you try to solve?

Hi Thanks..Recently start to setup fortinet product. :) Actually, i have 6 public ip addresses. One ip already assigned for WAN1. And i would like to use 2nd ip for sslvpn, so i try to create a VIP for it. Example scenario Services have static NAT to other server. For below is just a simple test case that i have done. And i try to test out whether VIP can use for sslvpn with PAT. 443 = https 10443 = sslvpn wan1 = 10.1.1.1/32 (public ip assigned by isp through pppoe) VIP (https) = 10.1.1.1 --> 172.16.1.1 443-->443 VIP (sslvpn) = 10.1.1.2 --> 172.16.1.2 443-->10443 Ok, some reason for second VIP, i m not able to use 443 again for the 10.1.1.2 so i try to use back 443 but map to 10443. This is because client site blocked 10443. In order to use sslvpn, so i try to use 2nd public ip and port 443 map to 10443. This is what i was trying to ask earlier that ssl vpn can use on vip ??? Becoz from my test case, i have failed. Login from client pc https://10.1.1.1:10443 [successful], but when try on https://10.1.1.2:443 [failed] May be i have to play around in firewall policy ? Or some other setting i missed out for VIP? i couldn' t find any detail or guide regarding this from fortinet knowledge base. Should i say VIP is for NATing, and NATing couldn' t use on sslvpn for tunneling, am i right? Any advice from you? Thanks

humm.. that will not work; your FTG device is the sslvpn tunnel' s end. If your main concern is use different ports numbers for administrative access to the unit, just change it according your needs; under System->Admin->Settings you can adjust your https port to release 443 for example for another uses; assign another number to ssl vpn port and so on. regards

Hi abelio, It is not a concern for administrative access. Yes, true, that sure can work with changing the sslvpn port. I even disable the https (443) in the [admin-->setting] for the testing. Customer would like to use 2nd public ip port 443 for sslvpn, and remain the 1st public ip with port 443 for https service.

Try this: Set FortiGate admin SSLVPN to 443 Set FortiGate admin HTTPS to 10443 (or something else) Public IP assigned to WAN1 used for SSL-VPN. Create VIP with External Interface WAN1, external IP is 2nd public IP, mapped to public IP address of FortiGate WAN1 interface, external port 443 mapped to port 10443..I have advised the customer to change the port. Create Firewall rule from WAN1/any to WAN1/VIP.

Hi jmac, Yes, i have tried too. But some weird thing happened. I able to access to the sslvpn web page (https://10.1.1.2), but i tried to login with a correct username&password, but failed to login with error msg " Permission denied" I even created VIP 2nd public IP mapped to internal interface, external port 443 mapped to port 10443. But still failed. What i m thinking is the sslvpn have to tight to the physical interface WAN1 but not VIP...I' m not so sure..need ask expert .. Regards