For the life of me, I cannot understand what the intent is behind the multiple SSL VPN tunnel configuration setting in the FortiClient system. If you use EMS and you modify a profile for VPN SSL, when you go to configure your tunnel, you can add a number of tunnel URLs under the same menu. My first guess when I started working with the system is that you could add multiples and then goto the advanced section of the tunnel configuration menu and choose a “sort method” which would then auto select the tunnel with the preferential metric.
Whenever I configure multiple tunnel URLs in the same tunnel configuration, it always seems to error out. I am using SAML right now for authentication as well with Azure AD if that helps.
That’s what it’s for. You give the client multiple servers to choose from, and it will pick one according to the sort method (and whether the targets are alive at all).
There is a bug with the current versions of Forticlient (right up to current GA) where the TCP roundtrip time sort method is broken and will always connect to the first one in the list. Wouldn’t surprise me if the ping sort method was also broken.
There is an interim build that has it fixed and will apparently be resolved in 7.0.3 GA.
So this leads me to my next question, what am I doing wrong here with the configuration? Since version 6.4.3, it’s always errored out for me and Fortinet Support has offered no real insight to it, simply saying it’s a bug and it will be fixed in the next version. I just put in another ticket for this issue on version 7.0.1.0103 for EMS and version 7.0.1.0083 for FortiClient. I am getting a different message than I was under 6.4.3 EMS and 6.4.6 FortiClient. The current message is:
“Warning - Failed to parse VPN Connection. Please configure the VPN properly before attempting Single Sign On (SSO) VPN connection”
Any thoughts? It would be nice if my AMER and EMEA client base didn’t have to pick their VPN tunnel. I get many tickets regarding EMEA users having performance issues because they inadvertently connect to the AMER Firewall and vice versa.
This is the only way I’ve found to get it to work. As I mentioned before, it still relies on the end user to make a decision to which tunnel they want to use. I give them the ability to choose in case we have some sort of event, but problematically UK/EMEA people will chose the US tunnel or vice versa and then put tickets in about how the performance of the VPN system is “terrible”. Also, I’ve noticed with this specific configuration, the connections are always alphabetized as far as order in the drop down menu.
simply saying it’s a bug and it will be fixed in the next version.
…sounds like it’s bug that needs to be fixed?
I’m able to make a change like that in EMS 6.4.3, but perhaps it’s a bug that needs something specific configured to trigger.
I get many tickets regarding EMEA users having performance issues because they inadvertently connect to the AMER Firewall and vice versa.
Have you tried addressing this by two (or more) separate SSL-VPN tunnel configs and setting the default appropriately for each region’s users? (AFAIK the option “current connection” should set the default tunnel)
Have you tried addressing this by two (or more) separate SSL-VPN tunnel configs and setting the default appropriately for each region’s users? (AFAIK the option “current connection” should set the default tunnel)
That’s certainly an option however, that would mean intrinsically you would have to know where the users are and this organization is absolutely terrible at understanding that. For example, you would have to know that Mike Smith is in the AMER region and there are currently no mechanisms to understand that besides actually talking to the dude or seeing the connection on the Fortigate itself. Currently Mike Smith has to have the neurons to understand that the “Americas” VPN tunnel is the one he should choose and not the “European Area” or the “Asian Pacific” area.
We switched from Palo Alto’s Global Protect platform when we migrated from PA to Fortinet and we were lead to believe that there was a like for like mechanism to force the users to choose a proper tunnel but it hasn’t worked out accordingly for us.
