FortiGate SSL VPN: Assign IP-Addresses using an external DHCP Server

In the context of SSL VPN, we sometimes receive the question, if it’s possible to assign IP-addresses using an external DHCP server. Unfortunatly this is not possible on the FortiGate. >> Possible since FOS 7.0.6 and FOS 7.2.1.

Back in the days of FortiOS 5.2, the documentation suggested that this was possible by editing the ssl.root interface using the CLI. Apparently this was a misinformation, but references to it are still found using your prefered search engine.

So what are the alternatives?

  • Implement this requirement using IPsec VPN (recommended)
  • Create an individual SSL-VPN portal with a dedicated IP-Pool for each user
  • Assign fixed IP-address to your SSL VPN users using a RADIUS attribute

In case you just want to cleanup stale DNS records (that remain after the VPN connection is terminated) on your Microsoft Server, you might want to look into DNS Aging and Scavenging.


4 thoughts on “FortiGate SSL VPN: Assign IP-Addresses using an external DHCP Server

  1. jre Reply

    has anyone tested this feature with a Windows DHCP server? And more importantly, has it worked?
    I have tested it in two labs with Microsoft’s DHCP server without success.
    Correct dhcp packets arrive to the dhcp server, see with Wireshark.

    • Martin Abt Reply

      Dear Jre
      We have successfully tested it with fortios 7.0.6/7.2.1 and Windows Server 2019.
      Best regards,
      BOLL Engineering Tech Team

Leave a Reply

Your email address will not be published. Required fields are marked *