Hot!VPN Remote Access with different access - DNS problem

Author
puzzopi
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/01/04 08:53:16
  • Status: offline
2021/01/08 00:47:29 (permalink)
0

VPN Remote Access with different access - DNS problem

Hi ,
I have a problem with dns resolution for vpn remote client.
Fortigate 900D, 6.2.6.
Forticlient version: 6.4.1.
Ex.: I have server A, server B and DNS server
I give different access to different people to have more security.
Peter can access only to A.
Frank can access only to B.
Paul can access all servers.
 
Paul can resolve name to IP, Peter and Frank cannot resolve.
If I add to Peter's and Frank's profile also the DNS server, they too can resolve.
But i wish Peter and Frank not to see the DNS Server.
 
In SSL-VPN Setting on the web interface of the firewall I insert the DNS server under :Tunnel Mode Client Settings.
 
Thanks in advance.
#1

5 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8530
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: VPN Remote Access with different access - DNS problem 2021/01/08 05:39:22 (permalink)
    0
    Sorry, but I don't understand. You want them to resolve but not 'see' the DNS server. What do you mean by not see?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #2
    puzzopi
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/04 08:53:16
    • Status: offline
    Re: VPN Remote Access with different access - DNS problem 2021/01/08 06:12:21 (permalink)
    0
    I mean that I don't want them to know it exists.
    The DNS server is also the Domain Controller...It could happen that it could also be the file server...
     
    Ok, Peter e Frank (external tech) don't have password to access to DNS/file server...
    but I would like that with an IP scan, outsiders can only see the hosts that I have decided for therm.
    It's possible to give to external tech in vpn, only access to the hosts that I have decided and also to dns server but only on port 53?
    Thanks
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8530
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: VPN Remote Access with different access - DNS problem 2021/01/08 07:09:07 (permalink)
    0
    If you only permit port 53 for these guys, that's the only way they can touch that server. They can't PING, HTTP, samba, or anything else. Just get DNS queries if that is the only thing you permit in the policy.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #4
    puzzopi
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/04 08:53:16
    • Status: offline
    Re: VPN Remote Access with different access - DNS problem 2021/01/15 01:49:55 (permalink)
    0
    OK,
    to do it how should I do?
    Is there a smart way? I have 4 different Policy to give vpn access to different people.
     
    I add another IPv4 Policy per any vpn access that give access to dns server with dns service?
    I tried to create a new service that give access to DNS server on port 53 but doesn't work.
     
    Tnx
    #5
    ede_pfau
    Expert Member
    • Total Posts : 6466
    • Scores: 557
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: VPN Remote Access with different access - DNS problem 2021/01/16 03:25:16 (permalink)
    0
    A smart way to solve this would be to use the Fortigate's capability to serve DNS / DNS relay on any interface for these users. If done correctly, you could allow access to the FGT's internal address for DNS, create a DNS on that, and have it query the DC. Along these lines...
    Added benefit: the FGT caches DNS requests and serves them really quick.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #6
    Jump to:
    © 2021 APG vNext Commercial Version 5.5