- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use SSL VPN List Information dynamic in a policy
Hello,
i'm relatively new to using fortimanager.
I need to get the IPs from the "Remote Host" entry in the ssl monitor and use it dynamically in a policy.
I can see the IP on the CLI via "execute vpn sslvpn list" or in the fortimanager at VPN Manager -> SSL VPN -> Monitor:
Has anybody a hint how to use in a policy? I thought about a TCL Script, but do not know exactly how to start with. On the other hand i hope, if the fortimanager allready "stored" the remote Host IP in its database, it may be exist an easier way to use it in a policy?
Background: I need to grant external user access to a rdp server behind a fortigate vdom without openening the RDP port to an "all" source on the wan. The users a not able to install the forticlient but are created as users on a Microsoft Active Directory Server an can authenticate against the ssl vpn on the fortigate as well as against the rdp server. The users change often and have diffrent dynamic ips (trainees who use the rdp server for training courses)
i tried to use the ssl vpn webinterface and use a rdp bookmark, but the html rdp Client does not meet the quality requirements.
Any ideas?
Thanks a lot!
- Labels:
-
FortiManager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The users connected to SSLVPN, will they be connecting to the RDP server via SSLVPN or through internet? Do you have split-tunneling enabled?
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Created on 05-16-2023 12:33 AM Edited on 05-16-2023 12:35 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The users could connect via Webinterface to SSL, but are not able to install the client. Because of that they can't use the native RDP Client, only the Web RDP Client from Fortigate. But the html rdp Client does not meet the quality requirements. Therefore it hought they may can log-in via Webinterface to SSL, i get/see the Puplic IP from there ISP and grand automaticly access via policy from WAN from there IPs (as sorce) to the RDP Server (For security reasons it is not intend to set the RDP Server reachable for "all" from WAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This method will need continuous monitor for SSL VPN users and when the disconnect you need to modify the policy to remove the IP address. I don't think Fortimanager is designed to handle such scenarios.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Suraj, i don't need continuous monitor. It will be acceptable to get the information on a specific time (e.g. at 8:00 a.m.) und use these IPS for a policy. If it is not working to get the information from the web ssl log-in, i may can use a website where the trainees can register there daily updated IP in the morning and generate a file. How can I use the file for a script in this case
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks, buit i don't have a dynamic iP on the Fortigate WAN. The clients have various IPs which i want to use in a policy.
kr, Sebastian