Skip to Content

Solved: How do I configure FortiGSLB Cloud for SSL VPN users traffic?

This article describes how to configure FortiGSLB Cloud for SSL VPN user’s traffic. FortiGSLB Cloud is a Global Server Load Balancing Fortinet solution.

Solution

Scenario:- (The setup considered)

Multiple FortiGate are placed at different locations as in India, USA, and England.

For remote clients who want to connect to the company HQ (India) via VPN, FortiGSLB allows clients to automatically connect to the FortiGate VPN server that is geographically closest to their current location.

This can also be specified according to FortiGate VPN server availability. In cases when the VPN server is down, FortiGSLB can redirect users to the next available FortiGate VPN server in another location (USA/ England).

Architecture

Architecture for how do I configure FortiGSLB Cloud for SSL VPN users traffic

Example:

  1. The customer is from England and connects via FortiClient/Web Client (GUI) login to access internal servers from outside the office.
  2. During connection, traffic goes to GSLB over vpn.testwebsite.com, port 10443
  3. Since users sit in Birmingham, FortiGSLB connects the user to England firewall being the nearest Hop for VPN termination.
  4. If the England firewall is not available, user traffic gets redirected to other nearest location i.e. USA in this case.

New VPN Connection

Step 1: Navigate to the URL for FortiGSLB Cloud: https://www.fortigslb.com/#/login

Step 2: Ask Fortinet Sales Team to provide a demo license.

Login to FortiGSLB Cloud

Step 3: Select the Primary/Main account to login.

Post login select Primary/Main account

Step 4: Select the Create an Organization option and follow through the steps:

select Create an Organization and follow through the steps

select Create an Organization and follow through the steps

Step 5: Choose the newly created organization and select Open.

Step 6: The license can be checked by going to the left section and selecting the Contact & License page.

The license can be checked by going to the left section and selecting the Contact & License page.

Step 7: Back on the left section and select the GSLB Services option to create SSL VPN GSLB Service.

Again back on the left section select GSLB Services to start creating our SSL VPN GSLB Service.

Step 8: Create two services that will cater to the same type of requests, i.e. SSL VPN.

Below configuration shows a snapshot for the configuration of ssl_vpn-fqdn, same configuration needs to be done for ssl_vpn-fqdn_service [only difference being host= ‘*’ in this case]

Step 9: Click on the Create FQDN button.

Select Create FQDN button.

Step 10: Enter the following detail to connect to FortiGate over SSL VPN:

  • Name
  • Hostname– (one with ‘www‘ and other FQDN service with ‘*’), because users can type
    1. https://www.vpn.testwebsite.com , OR
    2. https://vpn.testwebsite.com
  • Domain Name– followed with ‘.’

Select SAVE to bring up Add Member button.

Step 11: Click on the Save button.

Step 12: Click on the Add Member button, and the option to Create Member will be available.

Click on the Add Member button, and the option to Create Member will be available.

Step 13: Create Pool inside the member

Create Pool inside the member

Step 14: Add Virtual Server Member under Pool

Add Virtual Server Member under Pool

Step 15: Create Connector, Select the Generic-Host option as Type for FortiGate VPN.

Create Connector, Select Type Generic-Host, for FortiGate VPN.

Step 16: Create a Virtual Server. Add FortiGate Public IP on which SSL VPN currently connects to either web-based or via FortiClient.

Note: Multiple Public IPs can be input here for the same one location.

Post Save, Create a Virtual Server. Add FortiGate Public IP on which SSL VPN currently connects to either web-based or via FortiClient.

Step 17: For Data Centre, Select the location where this FortiGate is situated, similar steps are to be performed for all the Pools and Virtual Servers created for different location FortiGates.

For Data Centre Select the location where this FortiGate is situated, similar steps are to be performed for all the Pools and Virtual Servers created for different location FortiGates.

Step 18: Select the overall Status in the dashboard (Left pane First TAB)

Select the overall Status in the dashboard (Left pane First TAB)

Add DNS Service in order to use the GSLB services that were created

Step 19: Go to the left pane and select the DNS Services tab.

Step 20: Click on the Create New button on right.

Select Create New button on right.

Step 21: Enter the following details:

  • Provide any Name
  • Type as Primary
  • Domain Name – to match the domain name given during GSLB service created.
  • Responsible mail – any mail for admin/ similar
  • Primary Server Name – can be any name server ns-9/ ns-2 (choose as per the availability)
  • Primary Server Address – IP found on left pane bottom of screen.(GSLB IP)

Primary Server Address – IP found on left pane bottom of screen.(GSLB IP)

Step 22: Post Saving, it should automatically create the below records. (fetches from same domain name provided as in GSLB Services)

Post Saving, it should automatically create below records. (fetches from same domain name provided as in GSLB Services)

Testing the setup whether GSLB is resolving IPs as per Geo Location or not

Step 23: Open the command prompt window (cmd).

Step 24: Enter the follow command and press Enter key for each line:

nslookup vpn.testwebsite.com
nslookup –q=NS vpn.testwebsite.com

Note: vpn.testwebsite.com is the SSL VPN Domain in use and configured as one

vpn.testwebsite.com is the SSL VPN Domain in use and configured one

Step 25: More information can be found via PowerShell command:

Resolve-DnsName –Server –Name vpn.testwebsite.com

More information can be found via PowerShell command: Resolve-DnsName –Server –Name vpn.testwebsite.com

Step 26: Create the following records in the domain admin portal:

  • NS record with
  • Domain vpn.testwebsite.com with
  • name_server=ns-9.vpn.testwebsite.com and
  • name_server=ns-9.vpn.testwebsite.com with
  • ip_address=44.x.x.1 (GSLB Cloud IP)

Post all above configuration, create following records in the domain admin portal:-

Step 27: Check the QPS History as well showing the response from hits intake.

Check the QPS History as well showing the response from hits intake.

Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.