- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
planning to move away from using an Address Range to allocate DHCP addresses
Good day,
I am planning to move away from using an Address Range to allocate DHCP addresses to my SSL VPN full tunnel clients to using a Windows 2016 DHCP server, I have a FortiGate FGT200F running firmware 7.x.
The current Windows DHCP server is already set up with multiple scopes and uses VLANs to determine which to allocate based on this.
I have done some research, and it looks like all I need to do is:
- Create a new add Address Range on the FortiGate with the new DHCP range.
- Create a new DHCP scope on the Windows server with the new DHCP range.
- Enable the DHCP proxy on the FortiGate
- Config -> System -> Settings
- set dhcp-proxy enable
- set dhcp-server-ip <dhcp-server-ip>
- end
- config vpn ssl web-portal
- edit “Portal-Tunnel”
- set ip-mode dhcp
- set dhcp-ra-giaddr <any-ip-in-dhcp-range>
- end
- Update the FortiGate Firewall SSL VPN policies to use the new Address Rage for the Incoming and Outgoing SSL VPN connections.
For the DHCP server to know which range to allocate to the SSL VPN users the dhcp-ra-giaddr option will be used instead of using VLANs.
Does this look good? Some of the commands are to set web-portal settings but I have the SSL VPN web portal access disabled so not sure if this is correct?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @julianhaines ,
Your configuration steps seem correct.
For 5. step, this command says "vpn ssl web-portal" but, don't let this confuse you, this is actually required to configure the VPN in tunnel mode.
NSE 4-5-6-7 OT Sec - ENT FW
