DNS for SSL VPN Web Mode

kulas · ‎09-17-2018

Hi Experts,

We have a Fortigate with VDOMs enabled and configured SSL VPN (Tunnel and Web Mode) on one of that VDOMs. On the SSL VPN Web Mode, bookmarks were configured to access servers using URL instead of IP address. My question is that where does the SSL VPN (Web Mode) look for URL to IP address resolution? Which DNS setting does it use? I have read that it uses the DNS configured on GLOBAL settings. If it does, is the dns server1 and dns server2 not being used for url to ip address resolution on SSL VPN Web mode?

config vpn ssl web portal

edit "Server" set tunnel-mode enable set web-mode enable set ip-pools "SSL_VPN_ADDR2" set split-tunneling disable set dns-server1 X.X.X.X set dns-server2 Y.Y.Y.Y config bookmark-group edit "gui-bookmarks" config bookmarks edit "Test_Server" set description "Test_Server" set url "http://testserver.companyname.com" next end next end set heading "Test_Server" next end

Hope someone could help me on this.

Best Regards,

Kulas

kulas · ‎09-17-2018

Hope someone could explain me on this :(

Regards,

Kulas

Ashik_Sheik · ‎09-17-2018

Hi,

The setting of the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected in VPN IPsec or VPN SSL.

For SSL VPN:
# config vpn ssl settings # set dns-suffix example.com example.org # end
The FortiGate unit should be configured with your internal DNS servers which have host names for address "domain.com" and then verified by pinging the host name from FortiGate unit CLI;
config system dns set primary 192.168.1.1 }--------- Internal DNS set secondary 4.2.2.2 set domain "domain.com" end FGT# exe ping domain.com

Ashu

sw2090 · ‎09-17-2018

You could also use FortiGate's own capabilities and use the FGT internal DNS instead of plain forwarding. Then you could create a zone on your FGT that knows your server dns names and voila the urls should work over the vpn.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

kulas · ‎09-17-2018

Thank you on this but I think I could not recommend it to our client. They just need to use their internal DNS server on every point in their network for IP resolution. I am just confused on what DNS setting of the FortiGate is being used by SSL VPN users (Web Mode). Is it the DNS configured on Global VDOM or the DNS configured on the SSL VPN setting.

Regards,

Kulas

kulas · ‎09-17-2018

Hi

kulas · ‎09-17-2018

Hi Ashu,

Thank you for this and I will try it once I get to work with the appliance tomorrow. Anyway, does it mean that the DNS used by SSL VPN was the one configured on the SSL VPN configuration and not on the Global Settings? The FG I was working on is running with VDOMs I think I couldn't change the system DNS since it is configured on GLOBAL VDOM.

Regards

Kulas

Ashik_Sheik · ‎09-18-2018

Hi ,

You can use internal DNS for SSL and one of the ISP DNS and One of the Internal DNS can be configured as system DNS .

Ashu

Prab · ‎09-18-2018

kulas wrote:
Hi Experts,

We have a Fortigate with VDOMs enabled and configured SSL VPN (Tunnel and Web Mode) on one of that VDOMs. On the SSL VPN Web Mode, bookmarks were configured to access servers using URL instead of IP address. My question is that where does the SSL VPN (Web Mode) look for URL to IP address resolution? Which DNS setting does it use? I have read that it uses the DNS configured on GLOBAL settings. If it does, is the dns server1 and dns server2 not being used for url to ip address resolution on SSL VPN Web mode?

config vpn ssl web portal
edit "Server" set tunnel-mode enable set web-mode enable set ip-pools "SSL_VPN_ADDR2" set split-tunneling disable set dns-server1 X.X.X.X set dns-server2 Y.Y.Y.Y config bookmark-group edit "gui-bookmarks" config bookmarks edit "Test_Server" set description "Test_Server" set url "http://testserver.companyname.com" next end next end set heading "Test_Server" next end

Hope someone could help me on this.

Best Regards,
Kulas

FortiOS 5.6.4

I have a bookmark in SSL Web portal for an internal machine, I am using FQDN (eg: myserver.domain.local) instead of IP address & it is working fine for me.

First of all you should try if the FGT can even resolve the internal domain?

From the CLI try executing the ping command to see if the FGT resolves the internal domain at all:

#execute ping myserver.domain.local

If the FGT can resolve the name, then the bookmark will also work. I did not mention any DNS server under the config vpn ssl web portal section! Normally you do not need it. You only need to specify in case you want to override the FGTs internal DNS configuraton.

Also, in the SSL VPN Web mode, the FQDN-bookmarks are resolved by FGT & not the client. Client will use the FGT as a proxy to access the bookmark resources.

Sidenote:

I have FGT configured as a slave DNS server for my internal domain. Ref: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-networking-54/DNS%20Services/DNS%20Se...

This means:

FGT will use my internal network DNS server to resolve the domain.local & will use the FortiGuard DNS servers for all other domains (eg: x.com, y.x.com, anything.org etc.)

In FortiOS 6.0 you could try the Split-DNS feature ;)

Hope it helps!

Regards,

Prab :)