Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rookfive
New Contributor

Tunnel User TO Tunnel User Connectivity

Hi All,

 

Please forgive me if this topic has been covered before. Either my lack of knowledge or my inability to use the right search keywords prevented me finding it.

 

My question is this:

 

Is it possible for an SSL-VPN user connected via split tunneling to connect to another user using the same connection? An example of this would be:

 

User 1 is connected via vpn at home.

User 2 is connected via vpn at home.

User 2 calls User 1 and asks for remote assistance.

User 1 is willing, but the connection cannot be made.

 

Both remote users can successfully route to company resources and LAN workstations. LAN connected workstations can successfully connect to the remote users.

 

Here is a bit of info about our infrastructure and I've also attached a drawing to help clarify what is happening:

Firewall: Fortigate 300D

Network: AT&T MPLS / Cisco

 

Any help or insight that can be provided would be very much appreciated and earn my eternal gratitude.

 

Thanks,

 

Wayne M

1 Solution
lobstercreed
Valued Contributor

Hi Wayne,

 

This traffic can work, yes, but like any other traffic that flows through the firewall, you'll need a policy to allow it.  Create a policy with the source and destination interfaces both as the SSL-VPN tunnel interface (ssl.root), and use any appropriate source and destination address objects.  You will also need to specify users/groups in the source that will be allowed to initiate connections to other VPN users.

 

Thanks - Daniel

View solution in original post

5 REPLIES 5
lobstercreed
Valued Contributor

Hi Wayne,

 

This traffic can work, yes, but like any other traffic that flows through the firewall, you'll need a policy to allow it.  Create a policy with the source and destination interfaces both as the SSL-VPN tunnel interface (ssl.root), and use any appropriate source and destination address objects.  You will also need to specify users/groups in the source that will be allowed to initiate connections to other VPN users.

 

Thanks - Daniel

rookfive

Hi Daniel,

 

Thank you for the informative post. I will create the policy with the users and report back if this resolves my issue.

 

Cheers,

Wayne

rookfive
New Contributor

Hi again!

 

I just wanted to follow up and let you know that the solution you provided worked like a charm. Our remote users can see each other now and it's happy times here at work.

 

Thanks again so much for your help.

 

Respectfully,

 

Wayne M.

lobstercreed

You're welcome, Wayne!  Thanks for taking the time to come back and give me credit for it.  :)

 

- Daniel

brianz
New Contributor

Thanks. The solution works!

All and all it's just another brick in the wall

All and all it's just another brick in the wall
Labels
Top Kudoed Authors