Link to home
Start Free TrialLog in
Avatar of J Z
J ZFlag for Belgium

asked on

Fortigate SSL-VPN Split Tunneling question

Hi,

We have an externally hosted webserver for which we want to limit access to certain services (ports) to a limited set of IP addresses. One of them is our office's WAN range. While working at the office this won't pose any problems.

The issue is when a user works from home we want them to be able to start the FortiClient which will set-up an SSL-VPN tunnel to the office-LAN and configure it in such a way that it intercepts traffic to server A (which is outside of our LAN) and sends it over the SSL-VPN tunnel. That way the external webserver thinks the traffic is coming from our company's WAN address and the protected services will be accessible.

The SSL-VPN is set up in split tunneling mode and when I add the external webserver the user's local route-table is updated with an additional route that sends the traffic to the ssl-vpn interface. But the traffic is not routable (tracert fails).

Anyone knows (1) whether this is possible and (2) how to do it?

Thanks!
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

When adding to the Firewall ssl.root policies, adding single VIPs should result in the appropriate host routes to be added to the split tunneling routes installed at the client. Make sure you do not add the whole outside range, as this might interfere with the client being able to communicate with the firewall for the VPN tunnel itself ...
Avatar of J Z

ASKER

That's what i tried. I added the IP address of the external server to a policy the way you descibe it. I see it showing up in the routing table of the machine that is setting up the ssl-vpn. The entry's gateway is set correctly (=internal IP of the ssl-vpn on the fortigate). Also when I do a tracert I see that the first hop is the correct IP (towards the ssl-vpn gateway). But after the first hop the packet gets lost.

That why I'm wondering: does it need any additional routing or something else?

In the first place: Are you sure it is possible to add an external address and make the device send that traffic outside to the server with originating IP the WAN interface?
ASKER CERTIFIED SOLUTION
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of J Z

ASKER

It worked the way you suggested. I had the wrong outgoing interface configured. Thank you so much!!