SSL VPN web mode

Madridista1993 · March 13, 2025, 2:28pm

Hi All !

please if i configured ssl vpn through web portal on fortigate and i want to connect from remote peace to access internal resources through RDP. what would be my source address and in the policy from ssl to lan what source ip should i allow

pabechan · March 13, 2025, 2:28pm

Web-mode connections are not assigned a tunnel IP, so the source-address in the SSLVPN policy is irrelevant for web-mode.
On the wire, the source-ip will be the IP of the egress interface used by the FGT to reach the RDP destination.

Golle · March 13, 2025, 2:28pm

Source any will do just fine, since you need to specify source interface and user/group.

iromanyshyn · March 13, 2025, 2:28pm

Well, I just figured it out, the web mode has no use. I’m setting two portals in separate VDOM but in web mode it would just use the main IP address of the root VDOM.

Madridista1993 · March 13, 2025, 2:28pm

you mean that the source ip will be the publick one which used by remote user … if this true is there any action that should i follow to change the source and make the fortigate ip is the source ip

douchecanoo · March 13, 2025, 2:28pm

The source IP in web mode will be an IP address of the FortiGate. I believe it will choose the best FGT interface IP to use based off the routing table.

If you’re worried about creating a policy, as long as the source interface is your SSL VPN interface (ssl.root), just set the source IP address as “all” along with a user group, like /u/Golle mentioned

For example, here is me connecting from SSL VPN web portal to a web server at 172.16.109.20:

# diagnose sniffer packet any "host 172.16.109.20 and port 80" 4
interfaces=[any]
filters=[host 172.16.109.20 and port 80]
6.746654 port17 out 172.17.254.137.22592 -> 172.16.109.20.80: psh 1462668446 ack 3981327442 
6.796612 port17 in 172.16.109.20.80 -> 172.17.254.137.22592: psh 3981327442 ack 1462668984

You can see that the source IP is 172.17.254.137. This IP address is assigned to the port17 interface of the Fortigate, it’s an inter-fw trunk. You don’t have to worry about user public IP’s in your policies

The policy to allow this connection is “all” for IP address and a user group

burtvader · March 13, 2025, 2:28pm

Create an ip pool and Nat using that to the LAN - make it the same range as the ssl vpn up range (I.e. ssl uses 10.200.10.10-150 make the ip pool 10.200.10.254 or something). Source the rule as ssl interface to lan and Nat using the pool.