Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
djg
New Contributor

SSL-VPN Realm - issue with setup...

We are trying to implement SSL-VPN Realms and are running into an issue.

 

When we try to create a new realm, the URL defaults to the inside interface. We have tried to find a way to manually change the URL to use the correct interface, which is actually the DMZ interface (that interface is the connection to the outside, we are behind another firewall).

 

[ul]
  • We have SSL-VPN Web Portal working fine. We are able to access and use the portal fine. We are just having issues with implementing realms.
  • The DMZ-interface is defined in the SSL-VPN settings as the interface to listen on, and again, it is working fine.
  • The issue is when we create a new realm, it listens on the inside interface.[/ul]

    We have searched in both the GUI and CLI and it does not seem there is a way to manually define the complete URL. Also, we are unable to locate anywhere to manually set the interface that the SSL-VPN Realm uses. We are unable to determine why it is defaulting to the inside interface even though in the SSL-VPN settings it is listening on the DMZ-interface.

     

    We also created a ticket with Fortinet and hope they will have an answer. Just thought we would reach out to the forum to see if anyone else has run across this issue and found a solution. If we resolve the issue with Fortinet, we will post the fix here.

     

    THANKS!

  • 7 REPLIES 7
    djg
    New Contributor

    We were able to resolve the issue by deleting and recreating the realms and recreating the Authentication/Portal mappings under SSL-VPN settings.

    Toshi_Esumi
    Esteemed Contributor III

    Sounds like a bug but what's the model and os version?

    emnoc
    Esteemed Contributor III

    I don't think this is a bug btw, how did you set the realm ? And do  you have any auth-rules ? 

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    djg
    New Contributor

     I should have been more clear in my previous posts, sorry.

     

    We had an SSL-VPN setup with a realm for mobile client users setup and working. On Friday, it just stopped working.

     

    Specifically, IOS devices were unable to connect via the Forticlient using the realm set for tunnel mode. Android Forticlient users were still working on that realm and so were the SSL-VPN Web users that connected via browser. After a reboot of the firewalls, no mobile client users were able to connect but the SSL-VPN Web users still working fine.

    While troubleshooting the issue, we noticed that the link shown for the URL was referencing the inside interface. We had mistakenly thought this was specifying the actual URL users were supposed to use to connect, but it turned out to be just an example URL. This is why the post referenced manually setting the interface for the URL.

     

    We later determined the example URL was based on the interface you logged into the firewall on:

     

                           

     

    And confirmed by accessing from a different interface:

     

     

    We confused the example URL as an informative section like the SSL-VPN port listened on set under the SSL-VPN settings page:

     

     

     

    As part of our troubleshooting process we deleted/recreated the SSL-VPN realms and deleted/ recreated the users/groups under Authentication/Portal Mapping on the SSL-VPN Settings page. We had not noticed this had resolved the issue as we were focused on the non-issue of the example URL.

     

    I hope this clears up any confusion.

    Edwin1
    New Contributor

    Thanks DJG,  3

     

    i had the same issue

    djg

    Model: FortiGate 500D

    FW Version: v5.4.4,build1117 (GA)

    emnoc
    Esteemed Contributor III

    I'll test it  for you later tonight. What interfaces do you have    SSLvpn enabled on?  ( i'm assuming more than one )

     

    Ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Labels
    Top Kudoed Authors