FortiGate SSL VPN: Assign IP-Addresses using an external DHCP Server

In the context of SSL VPN, we sometimes receive the question, if it’s possible to assign IP-addresses using an external DHCP server. Unfortunatly this is not possible on the FortiGate.

Back in the days of FortiOS 5.2, the documentation suggested that this was possible by editing the ssl.root interface using the CLI. Apparently this was a misinformation, but references to it are still found using your prefered search engine.

So what are the alternatives?

  • Implement this requirement using IPsec VPN (recommended)
  • Create an individual SSL-VPN portal with a dedicated IP-Pool for each user
  • Assign fixed IP-address to your SSL VPN users using a RADIUS attribute

In case you just want to get rid of stale DNS records on your Microsoft Server, you might want to look into DNS Aging and Scavenging.

Leave a Reply

Your email address will not be published.