SSL VPN clients to be connected by RDP

jacob_mmchan · ‎09-03-2018

Hello Dears,

Is there a way that a VPN users (connected as SSL VPN tunnel mode) to be connected by RDP? (a reverse-access that we perform generally)

I have tried below setting on a Fortigate with version 5.6 series but it still treats the connection is going to internet (wan interface) under FortiView.

1) Add a static route of VPN assigned prefixes to ssl interface

2) Create a new policy from source interface "internal" to destination interface "ssl" with NAT disabled, with putting it to the 1st order under the policy sequence

Thanks,

Jacob

ITadm · ‎09-05-2018

First of all- is RDP connection enabled on clients computers? Can they ping each other (and is pinging enabled on local firewalls?).

I'm not an expert, but I'm not sure about this static route. Can you track on Fortiview these packets (source and destination interface?).

I'd suggest you to start with pinging first.

Prab · ‎09-05-2018

jacob.mmchan wrote:
Hello Dears,

Is there a way that a VPN users (connected as SSL VPN tunnel mode) to be connected by RDP? (a reverse-access that we perform generally)

I have tried below setting on a Fortigate with version 5.6 series but it still treats the connection is going to internet (wan interface) under FortiView.

1) Add a static route of VPN assigned prefixes to ssl interface
2) Create a new policy from source interface "internal" to destination interface "ssl" with NAT disabled, with putting it to the 1st order under the policy sequence

Thanks,
Jacob

If I understand correctly, you would like to connect to the SSL VPN client machines using RDP from a local network behind the FGT?

Yes, that can be done in the SSL Tunnel mode. I tested it in my lab on 5.6.3 FortiOS.

There are no special requirements for this at least on the FGT.

You just needed to add an IPv4 firewall policy with the destination interface to SSL VPN interface and the destination address to the Source IP Pool you assigned in your SSL VPN Portal settings.

Also, make sure the route to SSL VPN network is configured.

I just disabled the firewall on the SSL VPN client machine just be sure that windows firewall is not blocking something.

Thanks,

Prab

jacob_mmchan · ‎09-05-2018

Hi Prab,

Thanks for your reply and i just checked again the Fortigate unit on my hand. It is FWF-60E running FortiOS5.4.5.

i have made below configuration but the connection record under FortiView shows it goes to wan (internet interface) instead of ssl (VPN interface)

1) Add static route 192.168.20.0/24 to ssl interface (192.168.20.X is the IP assigned for SSL VPN tunnel modes)

2) Create firewall policy with source interface internal and destination interface ssl with permit everything and disabled NAT.

i am glad to know your result on FortiOS5.6.3 works in this case and i will make a check later on after upgrading the current software release.

Prab · ‎09-06-2018

jacob.mmchan wrote:
Hi Prab,

Thanks for your reply and i just checked again the Fortigate unit on my hand. It is FWF-60E running FortiOS5.4.5.
i have made below configuration but the connection record under FortiView shows it goes to wan (internet interface) instead of ssl (VPN interface)

1) Add static route 192.168.20.0/24 to ssl interface (192.168.20.X is the IP assigned for SSL VPN tunnel modes)
2) Create firewall policy with source interface internal and destination interface ssl with permit everything and disabled NAT.

i am glad to know your result on FortiOS5.6.3 works in this case and i will make a check later on after upgrading the current software release.

Not sure if it could make a difference, fyi I tested on FGT-60E model.

In your policy, Try enabling NAT and test again.

Is the SSL VPN working at all? Are the remote clients able to connect via SSL VPN and access the local network behind the FortiGate?

Thanks,

Prab