This article describes how to configure FortiGSLB Cloud for SSL VPN user’s traffic. FortiGSLB Cloud is a Global Server Load Balancing Fortinet solution.
Table of Contents
Solution
Scenario:- (The setup considered)
Multiple FortiGate are placed at different locations as in India, USA, and England.
For remote clients who want to connect to the company HQ (India) via VPN, FortiGSLB allows clients to automatically connect to the FortiGate VPN server that is geographically closest to their current location.
This can also be specified according to FortiGate VPN server availability. In cases when the VPN server is down, FortiGSLB can redirect users to the next available FortiGate VPN server in another location (USA/ England).
Architecture
Example:
- The customer is from England and connects via FortiClient/Web Client (GUI) login to access internal servers from outside the office.
- During connection, traffic goes to GSLB over vpn.testwebsite.com, port 10443
- Since users sit in Birmingham, FortiGSLB connects the user to England firewall being the nearest Hop for VPN termination.
- If the England firewall is not available, user traffic gets redirected to other nearest location i.e. USA in this case.
Step 1: Navigate to the URL for FortiGSLB Cloud: https://www.fortigslb.com/#/login
Step 2: Ask Fortinet Sales Team to provide a demo license.
Step 3: Select the Primary/Main account to login.
Step 4: Select the Create an Organization option and follow through the steps:
Step 5: Choose the newly created organization and select Open.
Step 6: The license can be checked by going to the left section and selecting the Contact & License page.
Step 7: Back on the left section and select the GSLB Services option to create SSL VPN GSLB Service.
Step 8: Create two services that will cater to the same type of requests, i.e. SSL VPN.
- ssl_vpn-fqdn = https://www.vpn.testwebsite.com
- ssl_vpn-fqdn_service = https://vpn.testwebsite.com
Below configuration shows a snapshot for the configuration of ssl_vpn-fqdn, same configuration needs to be done for ssl_vpn-fqdn_service [only difference being host= ‘*’ in this case]
Step 9: Click on the Create FQDN button.
Step 10: Enter the following detail to connect to FortiGate over SSL VPN:
- Name
- Hostname– (one with ‘www‘ and other FQDN service with ‘*’), because users can type
- Domain Name– followed with ‘.’
Step 11: Click on the Save button.
Step 12: Click on the Add Member button, and the option to Create Member will be available.
Step 13: Create Pool inside the member
Step 14: Add Virtual Server Member under Pool
Step 15: Create Connector, Select the Generic-Host option as Type for FortiGate VPN.
Step 16: Create a Virtual Server. Add FortiGate Public IP on which SSL VPN currently connects to either web-based or via FortiClient.
Note: Multiple Public IPs can be input here for the same one location.
Step 17: For Data Centre, Select the location where this FortiGate is situated, similar steps are to be performed for all the Pools and Virtual Servers created for different location FortiGates.
Step 18: Select the overall Status in the dashboard (Left pane First TAB)
Add DNS Service in order to use the GSLB services that were created
Step 19: Go to the left pane and select the DNS Services tab.
Step 20: Click on the Create New button on right.
Step 21: Enter the following details:
- Provide any Name
- Type as Primary
- Domain Name – to match the domain name given during GSLB service created.
- Responsible mail – any mail for admin/ similar
- Primary Server Name – can be any name server ns-9/ ns-2 (choose as per the availability)
- Primary Server Address – IP found on left pane bottom of screen.(GSLB IP)
Step 22: Post Saving, it should automatically create the below records. (fetches from same domain name provided as in GSLB Services)
Testing the setup whether GSLB is resolving IPs as per Geo Location or not
Step 23: Open the command prompt window (cmd).
Step 24: Enter the follow command and press Enter key for each line:
nslookup vpn.testwebsite.com
nslookup –q=NS vpn.testwebsite.comNote: vpn.testwebsite.com is the SSL VPN Domain in use and configured as one
Step 25: More information can be found via PowerShell command:
Resolve-DnsName –Server –Name vpn.testwebsite.com
Step 26: Create the following records in the domain admin portal:
- NS record with
- Domain vpn.testwebsite.com with
- name_server=ns-9.vpn.testwebsite.com and
- name_server=ns-9.vpn.testwebsite.com with
- ip_address=44.x.x.1 (GSLB Cloud IP)
Step 27: Check the QPS History as well showing the response from hits intake.
