In the context of SSL VPN, we sometimes receive the question, if it’s possible to assign IP-addresses using an external DHCP server. Unfortunatly this is not possible on the FortiGate. >> Possible since FOS 7.0.6 and FOS 7.2.1.
Back in the days of FortiOS 5.2, the documentation suggested that this was possible by editing the ssl.root interface using the CLI. Apparently this was a misinformation, but references to it are still found using your prefered search engine.
So what are the alternatives?
- Implement this requirement using IPsec VPN (recommended)
- Create an individual SSL-VPN portal with a dedicated IP-Pool for each user
- Assign fixed IP-address to your SSL VPN users using a RADIUS attribute
In case you just want to cleanup stale DNS records (that remain after the VPN connection is terminated) on your Microsoft Server, you might want to look into DNS Aging and Scavenging.
According to the Release Notes, this was fixed in 7.0.6.
Thanks for the hint. You’re right, they’ve added this feature in FOS 7.0.6 and FOS 7.2.1: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215644
Hello
has anyone tested this feature with a Windows DHCP server? And more importantly, has it worked?
I have tested it in two labs with Microsoft’s DHCP server without success.
Correct dhcp packets arrive to the dhcp server, see with Wireshark.
Dear Jre
We have successfully tested it with fortios 7.0.6/7.2.1 and Windows Server 2019.
Best regards,
BOLL Engineering Tech Team