Hello,
I have this scenario
The users have a specific URL that needs to be accessed via a specific public IP
The public IP is that of the company.
So when a user connects to the SSL VPN that it is not full tunnel, what are the options available for the user to have the public IP for that specific URL?
I see that the tunnel mode of the portal takes only IP
Thanks and regards,
Konstantinos
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If the IP is public then why VPN is needed? since public IP is intended to be accessed on internet without VPN.
Hello
The URL is accessed ony by whitelisted IPs
It is a corporate one.
So the user can only access it through VPN
Hey fortiFWuser,
just to make sure we understand:
- you have a server behind a public IP
- the server's URL resolves to this public IP with any public DNS
-> with your internal DNS, the URL resolves to an internal IP?
- you have a policy in place to only allow access to this public IP from specific sources, such as VPN IP range
To access the server, your users need the following:
1. Be connected to VPN
2. Resolve the server's URL to its public IP
3. Have a route to that public IP through VPN
4. Access the server on its public IP through VPN (with VPN source IP)
Is this correct?
Hello @Debbie_FTNT
The URL that accepts only whitelisted IP is not in my company.
It is a service accessed by my company.
So the scenario is as follows
I have a user connected to the VPN of my company.
I would like to have internet from his provider, but when he tries to access that specific URL to do it through the VPN in order to have the public IP of my company.
Hey FortiFWuser,
thank you for clarifying the scenario, I was a bit confused by your initial description.
In this case, the solution is fairly simple, assuming that service has a static IP (or IP range)
-> add the public IP (range) for this service to the split-tunneling destinations of your VPN
-> create a policy from SSLVPN interface to WAN, and destination the service's IP (range); enable NAT
It should go something like this then:
- a VPN user tries to access the URL
- their host will look up the IP
- the host will check routing table and find a specific route to the IP via VPN
-> traffic goes into VPN tunnel
- on FortiGate, traffic should match the policy from VPN to WAN
- the request should go out the FGT WAN interface with the FGT public IP
If the service doesn't have a static IP or range, it may not be possible; FQDNs can't be added to VPN split-tunneling at the moment, so you would have to disable split-tunneling or try to figure out a workaround to force the traffic via VPN tunnel when we can't provide a simple static route via VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.