Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

URL through SSL VPN



I have this scenario

The users have a specific URL that needs to be accessed via a specific public IP 

The public IP is that of the company. 


So when a user connects to the SSL VPN that it is not full tunnel, what are the options available for the user to have the public IP for that specific URL?


I see that the tunnel mode of the portal takes only IP 


Thanks and regards, 



If the IP is public then why VPN is needed? since public IP is intended to be accessed on internet without VPN.




The URL is accessed ony by whitelisted IPs 

It is a corporate one. 

So the user can only access it through VPN




Hey fortiFWuser,

just to make sure we understand:

- you have a server behind a public IP

- the server's URL resolves to this public IP with any public DNS

-> with your internal DNS, the URL resolves to an internal IP?
- you have a policy in place to only allow access to this public IP from specific sources, such as VPN IP range

To access the server, your users need the following:
1. Be connected to VPN

2. Resolve the server's URL to its public IP

3. Have a route to that public IP through VPN

4. Access the server on its public IP through VPN (with VPN source IP)

Is this correct?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Hello @Debbie_FTNT 


The URL that accepts only whitelisted IP is not in my company. 

It is a service accessed by my company. 


So the scenario is as follows
I have a user connected to the VPN of my company.

I would like to have internet from his provider, but when he tries to access that specific URL to do it through the VPN in order to have the public IP of my company. 




Hey FortiFWuser,

thank you for clarifying the scenario, I was a bit confused by your initial description.

In this case, the solution is fairly simple, assuming that service has a static IP (or IP range)

-> add the public IP (range) for this service to the split-tunneling destinations of your VPN

-> create a policy from SSLVPN interface to WAN, and destination the service's IP (range); enable NAT

It should go something like this then:
- a VPN user tries to access the URL

- their host will look up the IP

- the host will check routing table and find a specific route to the IP via VPN

-> traffic goes into VPN tunnel

- on FortiGate, traffic should match the policy from VPN to WAN

- the request should go out the FGT WAN interface with the FGT public IP


If the service doesn't have a static IP or range, it may not be possible; FQDNs can't be added to VPN split-tunneling at the moment, so you would have to disable split-tunneling or try to figure out a workaround to force the traffic via VPN tunnel when we can't provide a simple static route via VPN.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors