Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nvelocity
New Contributor

restrict SSL VPN traffic to RDP

SSL VPN up and working great but I want to restrict the VPN traffic to RDP only to protect the internal network from issues with remote users. The native RDP client in SSL VPN doesn' t work for our needs. Whenever I change the Service from anything but ANY there are issues with the SSL VPN tunnel. What am I missing? Thanks in advance.
5 REPLIES 5
nvelocity
New Contributor

I still have no solution. Any ideas from anyone why this doesn' t work? SSL VPN is great but I don' t need to open the entire LAN to remote users, just a single service. Advice appreciated!
rwpatterson
Valued Contributor III

In the advanced section of the User Group, choose an IP range that tunnel users will appear under. Then create a Policy -> Address Range that duplicates this, and use it in the corresponding Policy. This will restrict these users only to what the policy will allow. The tunnel range must consist of IP addresses that reside on the Fortinet interface, or it won' t work.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
nvelocity

Thanks for the response, but this still isn' t 100% clear to me. I have my SSL VPN rule in place WAN > Internal. Source - ALL, Dest - ALL, Service ANY. Altering that policy in any way breaks the SSL VPN. I have my SSL VPN IP Range address group created. Do I create another WAN > Internal policy and specify the SSL VPN IP' s as the source? Won' t the other SSL VPN policy of ALL > ALL override that? All I want to do is restrict SSL VPN clients to RDP only.
rwpatterson
Valued Contributor III

The policy you have in place affects all traffic. If you wish to only affect SSL VPN traffic, you need a policy that starts with the same source IP range as the SSL VPN traffic. As the Fortigate reads through the policies, it will act on the first one that ' fits' the source, destination and service conditions. If this SSL VPN policy is on the top, then that' s the one the SSL VPN users will hit.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Config FW rule for SSL-VPN to only allow RDP to a IP-range. Regards, Eric
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors