Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

Specific SSLVPN user exclusive to 'Limit access to specific hosts'

Hi, guys,

 

The company Fortigate is configured the SSL-VPN Settings 'Limit access to specific hosts'.

 

But boss wants to SSLVPN to company from anywhere, is it possible to configure the specific user exclusive to this limit ?

 

Any advice ?

 

Many thanks

 

 

 

 

1 Solution
Yurisk
Valued Contributor

Hi Benson,

I don't think it is possible, if I get you right - you limit access to the VPN SSL portal(s) by source IP address of the clients? If so, then this configuration is global for the SSL VPN service, and I don't see an option to make it otherwise. Only separate VDOMs for each group of users.  

Realms allow separation per User Group/URL, but AFTER ANY client from the Internet reached the VPN SSL port already. Basically it is the same as mapping different User Groups on Fortigate to different portals with no limit  to specific hosts - if you limit (or not) access to Specific Hosts, you limit (or not, accordingly) access to all portals/realms at once. This is configuration-wise, I haven't tried to validate on actual Fortigate though.

 

HTH,

Yuri

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

Use realms to have different user groups.

https://docs.fortinet.com...72/ssl-vpn-multi-realm

BensonLEI

Hi, Toshi,

 

We shall check and verify this solution, thx so much for your information.

 

Cheers

Yurisk
Valued Contributor

Hi Benson,

I don't think it is possible, if I get you right - you limit access to the VPN SSL portal(s) by source IP address of the clients? If so, then this configuration is global for the SSL VPN service, and I don't see an option to make it otherwise. Only separate VDOMs for each group of users.  

Realms allow separation per User Group/URL, but AFTER ANY client from the Internet reached the VPN SSL port already. Basically it is the same as mapping different User Groups on Fortigate to different portals with no limit  to specific hosts - if you limit (or not) access to Specific Hosts, you limit (or not, accordingly) access to all portals/realms at once. This is configuration-wise, I haven't tried to validate on actual Fortigate though.

 

HTH,

Yuri

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
BensonLEI

Hi, Yurisk You are correct, Multi-REALM does not meet the requirement..   If extra resources are required to create additional VDOM ? And also if we can create additional VDOM in current Fortigate device ( already in production ) ?   Thanks a lot
ab_mbh

Hi Guys,

I Think i have someting the same issue. I have configured as you see below - But it dosent works. If i authenticate with a user that is not mbh@ it still allow the user to go to the destination adress on RDP.. :(

 

Is this the same limit?

 

Yurisk
Valued Contributor

BensonLEI wrote:
If extra resources are required to create additional VDOM ? And also if we can create additional VDOM in current Fortigate device ( already in production ) ? Thanks a lot

The mere fact of enabling VDOMs on the firewall does not add to the load/resources usage, at least not anything to be noticed.

Every hardware model of Fortigate, provided it supports VDOMs at all (not FG 30 etc), allows up to 10 VDOMs to be created license-wise. VDOM is a virtual firewall, so basically you are creating additional firewall with separate interfaces, networking, and security/VPN rules. It is not kind of a decision to just click through easily - need to think about it in the context. In your case, if you create 2 VDOMs (it does not by itself involve downtime, as all existing configs are auto-assigned to the Root VDOM) you have to think of separating WAN interface in 2 - one for each VDOM, each with own WAN/legal IP - can you do so with your ISP provider?  Then each WAN IP would listen for VPN SSL with its own configuration, including restricting the hosts. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
BensonLEI

Hi, Yuri,

 

Thanks so much for your information.

 

We find another workable solution for this requirement ( not related to Fortigate configuration).

 

For creating additional VDOM:

1. extra resource

2. extra WAN IP

3. extra MA resource.

 

 

 

 

 

 

 

beltskyy
New Contributor III

BensonLEI wrote:
We find another workable solution for this requirement
could you pls share with us your solution? I am also having the same task now..
Labels
Top Kudoed Authors