Hello,
i'm relatively new to using fortimanager.
I need to get the IPs from the "Remote Host" entry in the ssl monitor and use it dynamically in a policy.
I can see the IP on the CLI via "execute vpn sslvpn list" or in the fortimanager at VPN Manager -> SSL VPN -> Monitor:
Has anybody a hint how to use in a policy? I thought about a TCL Script, but do not know exactly how to start with. On the other hand i hope, if the fortimanager allready "stored" the remote Host IP in its database, it may be exist an easier way to use it in a policy?
Background: I need to grant external user access to a rdp server behind a fortigate vdom without openening the RDP port to an "all" source on the wan. The users a not able to install the forticlient but are created as users on a Microsoft Active Directory Server an can authenticate against the ssl vpn on the fortigate as well as against the rdp server. The users change often and have diffrent dynamic ips (trainees who use the rdp server for training courses)
i tried to use the ssl vpn webinterface and use a rdp bookmark, but the html rdp Client does not meet the quality requirements.
Any ideas?
Thanks a lot!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The users connected to SSLVPN, will they be connecting to the RDP server via SSLVPN or through internet? Do you have split-tunneling enabled?
Created on 05-16-2023 12:33 AM Edited on 05-16-2023 12:35 AM
The users could connect via Webinterface to SSL, but are not able to install the client. Because of that they can't use the native RDP Client, only the Web RDP Client from Fortigate. But the html rdp Client does not meet the quality requirements. Therefore it hought they may can log-in via Webinterface to SSL, i get/see the Puplic IP from there ISP and grand automaticly access via policy from WAN from there IPs (as sorce) to the RDP Server (For security reasons it is not intend to set the RDP Server reachable for "all" from WAN
This method will need continuous monitor for SSL VPN users and when the disconnect you need to modify the policy to remove the IP address. I don't think Fortimanager is designed to handle such scenarios.
HI Suraj, i don't need continuous monitor. It will be acceptable to get the information on a specific time (e.g. at 8:00 a.m.) und use these IPS for a policy. If it is not working to get the information from the web ssl log-in, i may can use a website where the trainees can register there daily updated IP in the morning and generate a file. How can I use the file for a script in this case
Thanks
You can map your dynamic IP to a host domain then you will get a fixed address. This post may help you.Remote Desktop Dynamic IP
Hi, thanks, buit i don't have a dynamic iP on the Fortigate WAN. The clients have various IPs which i want to use in a policy.
kr, Sebastian
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.