Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GuitarSepp
New Contributor

Use SSL VPN List Information dynamic in a policy

Hello,

i'm relatively new to using fortimanager.

I need to get the IPs from the "Remote Host" entry in the ssl monitor and use it dynamically in a policy. 

 

I can see the IP on the CLI via "execute vpn sslvpn list" or in the fortimanager at VPN Manager -> SSL VPN -> Monitor:

 

2023-05-15 18_02_19-FortiManager.png


Has anybody a hint how to use in a policy? I thought about a TCL Script, but do not know exactly how to start with. On the other hand i hope, if the fortimanager allready "stored" the remote Host IP in its database, it may be exist an easier way to use it in a policy? 

 

Background: I need to grant external user access to a rdp server behind a fortigate vdom without openening the RDP port to an "all" source on the wan. The users a not able to install the forticlient but are created as users on a Microsoft Active Directory Server an can authenticate against the ssl vpn on the fortigate as well as against the rdp server. The users change often and have diffrent dynamic ips (trainees who use the rdp server for training courses)

 

i tried to use the ssl vpn webinterface and use a rdp bookmark, but the html rdp Client does not meet the quality requirements. 

 

Any ideas? 

 

Thanks a lot!   

6 REPLIES 6
srajeswaran
Staff
Staff

The users connected to SSLVPN, will they be connecting to the RDP server via SSLVPN or through internet? Do you have split-tunneling enabled?

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

GuitarSepp

The users could connect via Webinterface to SSL, but are not able to install the client. Because of that they can't use the native RDP Client, only the Web RDP Client from Fortigate. But the html rdp Client does not meet the quality requirements. Therefore it hought they may can log-in via Webinterface to SSL, i get/see the Puplic IP from there ISP and grand automaticly access via policy from WAN from there IPs (as sorce) to the RDP Server (For security reasons it is not intend to set the RDP Server reachable for "all" from WAN 

srajeswaran

This method will need continuous monitor for SSL VPN users and when the disconnect you need to modify the policy to remove the IP address. I don't think Fortimanager is designed to handle such scenarios. 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

GuitarSepp

HI Suraj, i don't need continuous monitor. It will be acceptable to get the information on a specific time (e.g. at 8:00 a.m.) und use these IPS for a policy. If it is not working to get the information from the web ssl log-in, i may can use a website where the trainees can register there daily updated IP in the morning and generate a file. How can I use the file for a script in this case

 

Thanks

Olivia_7
New Contributor

You can map your dynamic IP to a host domain then you will get a fixed address. This post may help you.Remote Desktop Dynamic IP 

GuitarSepp

Hi, thanks, buit i don't have a dynamic iP on the Fortigate WAN. The clients have various IPs which i want to use in a policy.  

 

kr, Sebastian 

Top Kudoed Authors