Hello All the FortiWarriors,
I will be briefly describing whats happening in our scenario: I have set up a test fortigate 61E (FortiOS 6.2.6) with 2 WANs. I have created a Load balancer for the FQDN for VPN gateway on Cloudlfare (with proxy Turned ON)which points to WAN1 IP and WAN 2 IP (in case of Failover). I have enabled SSL VPN on both WAN IPs listening on one of the custom ports supported by Cloudflare. When I try connecting to “Web-mode” VPN portal everything just works like a charm. But when trying to connect to the same SSL VPN gateway using Forticlient , I am getting the error “VPN Server May be Unavailable” . Has Anyone configured this kind of setup before? Fortinet Support made it sound like we may be the First one in the world to have this setup which is Pure BS. Highly Appreciate your thoughts on this…
(P.S. We have ruled out Authentication and Permissions Issue. Also Double Checked with fortinet support that all the corresponding Policies are in Place)
Its not possible to run tunnel mode sslvpn through any sort of reverse proxy.
tunnel mode sslvpn tunnels ppp over tls
I have definitely seen issues trying to run SSL VPN through a 3rd party proxy. Both Cloudflare and TotalUptime had this issue. Have seen it with SOnicwall and Fortinet products.
edit: Bypassing the proxy was the settled solution.
Can CloudFlare do a generic TLS proxy? Because what’s inside is not HTTP and so an HTTPS proxy won’t cut it.
Moreover, how does this affect source-IPs of the client traffic from the FortiGate’s point of view? If it’s SNATed to the load-balancer’s IP, I’m predicting users with fat fingers locking out everyone else with them.
Thanks All for sharing these insights!! I think I’ve got a direction to go… Appreciate your help in this matter…
Web proxies like cloudflare are for http/https traffic. The proxy handles the TLS connection, but when FortiClient starts talking PPP it dosen’t know what to do with the traffic. When you used portal mode, all of your traffic is encapsulated in http.
How did you manage to bypass SSL VPN traffic through a CF proxy
Hey, wondering if you were able to find any solution for this?
Would love to know if you ended up finding a solution.
Hi, I have the same problem, what solution did you find?