Hot!ssl-vpn and interfaces

Author
jamesc
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/10 05:54:53
  • Status: offline
2019/07/16 05:34:28 (permalink)
0

ssl-vpn and interfaces

im new to fortigate
so
firewall fortigate vdom
 
int outside
int inside
int wifi
 
 
policy for ssl-vpn to inside set up
sll-vpn setup and works outside to inside
listeniing on the outside interface
url used by forticlient resolves to public ip to outside interface
 
all good
 
on the firewall i have another interface that wifi clients are on ( for basic browsing etc )
i was hoping the ssl-vpn cleint would work if they ever needed to connect to the inside for any reason
given the forticlient would resolve to the public ip of the outside interface i thought as would be ok
but its not, it wont connect.
im new to any diag cli commands so dont know them all any tips appreciated
the forticlient gets to 10% and stops for clients on wifi interface
 
Am i missing anything obvious.
a policy or something?
 
thanks
 
#1
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: ssl-vpn and interfaces 2019/07/16 13:28:28 (permalink)
0
If I understand correctly you have sslvpn on outside interface and you would like to have the same for wifi users. You can add the 'wifi' interface in 'SSL VPN settings' in the section 'listen on port'. I never used it 2 sslvpn ports but I think it should work.
#2
jamesc
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/10 05:54:53
  • Status: offline
Re: ssl-vpn and interfaces 2019/07/18 02:16:01 (permalink)
0
id like users on the wif interface to be able to usee the ssl vpn
 
In the forticlient we pushed out via gpo and reg settings the remote gateway is a url that is resolved to the ip of the outside interface
so this is the one listening, the clients on the wifi interfcae will resolve to to outside interface which iis listening
 
i cant see why adding the wifi interface to listen will have the desired effect, but i have tried it but with no success.
 
i would like to avoid users have to change the gateway url or ip and just leave it as the default outside interface one
 
so i cant see this working unless the users need to change the gateway which i dont want them to have to do.
 
but is that the only way?
 
do you agree?
 
 
#3
Jump to:
© 2019 APG vNext Commercial Version 5.5