Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adogra
New Contributor

Allow External web URL to be accessible for SSL VPN user.

Hi Guys,

 

Just wondering If I want to allow external web service hosted on third party vendor to SSL_VPN user. What steps I need to follow. Though that external web service URL is only accessible from our private company network due to external public facing IP binding  I guess done by vendor. But needed to be accesible over our SSLVPN user as a part of test.

 

Firewall model: Fortigate200D(Master) HA mode 

Operation Mode : NAT

Inspection Mode: proxy -based

SSL VPN tunnel

firm: v5.4.3 

 

cheers!

 

Thanks

Atul

2 Solutions
MikePruett
Valued Contributor

You will want to remove split tunnel SSL VPN (make it so that all traffic, both interesting (internal network) and non interesting (users internet traffic) goes through your Firewall via the SSL VPN) so that your users will show your organization's public IP when surfing the net and in turn will be allowed to access the vendors site.

View solution in original post

emnoc
Esteemed Contributor III

1: you need a firewall policy that allows the SSLVPN pool assignment   and  service HTTP/HTTPS

 

2:  the source interface will be the ssl.root ( ssl.<vdomname> )

 

3: use the cli cmd  diag debug flow to analyze and you will see the problem(s)

 

4: alternative you could defined a explicit proxy and have the  clients use it.

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

5 REPLIES 5
MikePruett
Valued Contributor

You will want to remove split tunnel SSL VPN (make it so that all traffic, both interesting (internal network) and non interesting (users internet traffic) goes through your Firewall via the SSL VPN) so that your users will show your organization's public IP when surfing the net and in turn will be allowed to access the vendors site.

adogra

Mike thanks for the solution. But its already off. Split tunneling. Fyi -there are few SSL VPN portals and only "full access" portal one does have split tunneling on. I turned that off for a test but still no luck. Not sure how long do I need to wait for reconnection to sll vpn after change in firewall tunnelijg.mode?? Though, that external URL is accessible via RDP over SSL VPN. But not accessible directly from client/laptop web browser that is connected thru forticlient vpn client. Which seems certainly an issue with sslvpn policy or static routing. Thanks
adogra

Mike thanks for the solution. But its already off. Split tunneling. Fyi -there are few SSL VPN portals and only "full access" portal one does have split tunneling on. Sol I tried: 1) I turned that off for a test but still no luck. Not sure how long do I need to wait for reconnection to sll vpn after change in firewall tunnelijg.mode?? 2) URL address FQDN & IP both added in adresses. Though, that external URL is accessible via RDP over SSL VPN. But not accessible directly from client/laptop web browser that is connected thru forticlient vpn client. Which seems certainly an issue with sslvpn policy or static routing. Thanks
emnoc
Esteemed Contributor III

1: you need a firewall policy that allows the SSLVPN pool assignment   and  service HTTP/HTTPS

 

2:  the source interface will be the ssl.root ( ssl.<vdomname> )

 

3: use the cli cmd  diag debug flow to analyze and you will see the problem(s)

 

4: alternative you could defined a explicit proxy and have the  clients use it.

 

PCNSE 

NSE 

StrongSwan  

adogra
New Contributor

Thanks guys. Its resolved now. Issue was with our  SSL VPN IPv4 policy static routing. Where it didn't have our WAN IP added.

cheers