Question I am trying to move away from using the FortiGate for DHCP for SSL VPN to using an external Microsoft server

Cantercrow

Reputable
Mar 8, 2021
2
0
4,510
Good day,

I am trying to move away from using the FortiGate for DHCP for SSL VPN to using an external Microsoft server but need some advice on doing this.

My current internal network uses 10.0.0.0/21 for DHCP and currently the FortiGate uses an address list to allocate IPs to the SSL VPN from 10.0.3.0/21 which is within the 10.0.0.0/21 subnet.

I recently tried to implement external DHCP using the random subnet 10.1.10.0/24 which I setup on the external DHCP server and when I connected to the SSL VPN, I got an IP from the SSL VPN server but could not route to the 10.0.0./21 subnet.

Did I use the wrong subnet? I investigated the 10.0.0.0/21 subnet, and it looks like 10.0.16.0/21 may be what I should have used but not sure, when moving to an external DHCP are there any routes I need to setup or does the FortiGate handle this? Maybe I need a static route from 10.0.16.0/21 to 10.0.0.0/21?

Thanks in advance I am just learning about subnets and routing.

Julian
 
Not sure what you are asking. Are you trying to get the microsoft server to assign IP to the vpn sessions or are you planning on letting the fortigate do the VPN and the microsoft do the rest.

In general VPN is going to work better for some applications if the IP allocated to the vpn sessions are in the same subnet as the other machines. They don't have to be but some things like microsoft file sharing are a bit easier to use if they are in the same subnet.

It has been so long since i messed with forigate. If the vpn on the forigate can just let the vpn session just ask for a IP from the microsoft server that would likely be the simplest. VPN configuration though tend to be very tricky since every vendor like to do their own thing.

What you might also consider is letting the microsoft dhcp server hand out all but the top /24 block of your current subnet. You would the configure the forigate to give out ip to the vpn session in the range 10.0.7.x. The subnet mask is still /21 even though you are in effect chopping a /24 off the top.
 
  • Like
Reactions: lantis3