Hot!SSL-VPN - Can we do this?

Author
jayuk76
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/20 08:36:27
  • Status: offline
2020/05/20 08:39:22 (permalink)
0

SSL-VPN - Can we do this?

Hi
 
We are using the SSL VPN in split tunnel mode
 
So when we are connected all web traffic goes out locally and also company traffic goes through the tunnel.
 
But we want to allow a handful of websites (URLs) to go through the VPN as they are whitelisted.
 
If we could do it based on groups even better but not essential. we do use LDAP integration
 
what is the easiest way to do this?
 
any help is greatly appreciated
 
Jay
 
 
 
 
#1

7 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2087
    • Scores: 190
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/20 10:49:50 (permalink)
    0
    We had the same request from one of our customers. But we found out FQDN addresses are not configuratble for the split tunnel. If you know the IP of the FQDN(host name part of URL) doesn't change, you can add them to the routing-address at the portal, which we did.
    I think the reason FQDN is not allowed is because once split tunnel is set up when the client got connected, it can't be changed during the tunnel is up even when the address is changed dynamically.
    #2
    Markus
    Platinum Member
    • Total Posts : 228
    • Scores: 36
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Location: Switzerland
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/20 15:37:29 (permalink)
    0
    For selective tunnel check https://forum.fortinet.com/tm.aspx?tree=true&m=186157&mpage=1
    @Toshi with 6.0.9 I was able to route FQDN to split tunnel.
    Best
    post edited by Markus - 2020/05/20 15:47:46
    #3
    emnoc
    Expert Member
    • Total Posts : 5622
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/21 07:14:51 (permalink)
    0
    I highly doubt you could do that without  slectively push routes in the split-tunnel, but you could enable explicit proxy and set the machines to use the fortigate as a proxy, why do you want split-tunnel and then route whitelisted URL thru the firewall? I don't see the logic in that request.
     
    If your concern on web-filter for the end-users , deploy a full forticlient and control the end-point would be better regardless if he/she is on the vpn or not, IMHO. Here you can use the FC off-net and with all of the filteroptions with EMS endpoints.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 2087
    • Scores: 190
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/21 20:37:42 (permalink)
    0
    For our customer's case, they had to use one NAT source IP for all users to access some specific Internet services/applications wherever each user might be located.
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 2087
    • Scores: 190
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/22 10:58:33 (permalink)
    0
    I was wrong. I just saw in another thread how to do this in GUI. I haven't tested it myself yet but since it's in KB, it should work.
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248
    Basically, don't configure anything at portal, but configure all addresses including FQDN ones in the policy.
    #6
    jayuk76
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/20 08:36:27
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/22 12:46:47 (permalink)
    0
    The requirement is because we have a white listed URL that only accepts requests from our Company Public IP
    #7
    jayuk76
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/20 08:36:27
    • Status: offline
    Re: SSL-VPN - Can we do this? 2020/05/22 12:47:45 (permalink)
    0
    thats brilliant - ill give it a go and feedback here
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5