ACME Access Only when trying to access the SSL VPN

VPN
1

Hello, newish firewall setup and trying to get SSO working with EntraID. I’ve had this issue on 2 different ones now so, I’m not totally sure that it’s the SSO that’s causing it but that’s the most recent change.

 

Here’s the setup:

  • WAN1 interface IP set to x.x.x.82/28 DNS is pointing there.

  • Admin access is enabled on ports HTTP: 8080 and HTTPS 8443,

  • HTTPS admin access is enabled on the WAN interface and the break glass account is trusted hosts limited.

  • SSLVPN is enabled using regular 443 and has the redirect http to https setting enabled.

  • There is only one other set of PAT/VIPs on x.x.x.81 on this firewall (it may or may not matter but none of the PATs conflict with any of the ports mentioned for admin and SSLVPN).

  • Using Let’sEncrypt certificate with the aforementioned dns name that points to the .82 address.

  • EntraID is setup on the Azure side and uses the dns name with no special port, just https://y.y.com/blahblah/login

Here’s the issue:

When you go to the site, the page comes up with an “ACME Access Only” page, not the SSLVPN client page.

Admin :8443 access works (not SSO integrated yet) but everything x.x.x.82 comes up with the ACME Access only page. Forticlient doesn’t connect either, just hangs on connecting.

I tried to change the SSL port on the SSLVPN settings page to 10443, thinking there might be a conflict with .81 but, same thing. I’ve not done anything to the localin policy.

I’ve tried a few other things but it’s pretty default still and I’m out of ideas currently, any thoughts/direction you may have is appreciated.

 

EDIT, Resolved: I figured this out, sorta. I went to System->Settings (Administrator Settings) and changed the ACME interface to an unused interface for testing. Then, went and disabled and re-enabled the SSLVPN and the page popped right up. Went back and tried to switch the ACME interface back to WAN1 and when I tried to enable it, got the error: “Administration settings failed to save : Entry is used.” So, apparently SSLVPN and the ACME interface can’t exist at the same time on port 80.

For the closest to full functionality, I disabled HTTP redirection on the SSLVPN and moved the ACME Interface back to WAN1. Since browsers pretty much only redirect to HTTPS this doesn’t seem like a big deal. Might toss a ticket into Support to find out if SSLVPND is “supposed” to share the port 80 nicely or not.

2

Turn off redirect http to https on SSL VPN. Then make sure you are accessing the SSL VPN on 443

3

You don’t want https admin access exposed to the web, just not a good idea. Even with trusted hosts.

You’re better off with FortiManager or FortiGate cloud for break glass.

4

I tried that but, same thing. Is there any sort of log for the html interface, like a server event log type of thing?

5

Ever figure this out? I’m working on setting up SSL VPN and getting this pesky Acme access only message now too :wink:

6

I wish I had a better answer for you but I honestly don’t remember at this point. I think it was something like rebooting the firewall that finally got it working, we tried to kill services and things like that to figure out what was running where and what ports it was using but in the end we just made sure the ports were set the way we wanted and rebooted the whole thing.

If you ask me, they need a whole seperate GUI for all the management services / local policies etc… too many secret sauce guides out there that fix one thing and break another.

7

No problem, thanks for sharing!