In the context of SSL VPN, we sometimes receive the question, if it’s possible to assign IP-addresses using an external DHCP server.
Unfortunatly this is not possible on the FortiGate. >> Possible since FOS 7.0.6 and FOS 7.2.1.
Back in the days of FortiOS 5.2, the documentation suggested that this was possible by editing the ssl.root interface using the CLI. Apparently this was a misinformation, but references to it are still found using your prefered search engine.
So what are the alternatives?
- Implement this requirement using IPsec VPN (recommended)
- Create an individual SSL-VPN portal with a dedicated IP-Pool for each user
- Assign fixed IP-address to your SSL VPN users using a RADIUS attribute
In case you just want to cleanup stale DNS records (that remain after the VPN connection is terminated) on your Microsoft Server, you might want to look into DNS Aging and Scavenging.