Fortinet white logo
Fortinet white logo

EMS Administration Guide

Load balancing SSL VPN gateways with one FQDN

Load balancing SSL VPN gateways with one FQDN

When connecting to SSL VPN with an FQDN, FortiClient remembers the IP address with which it contacts the FortiGate and reuses it throughout the connection phase. This feature is available for FortiClient (Windows) and unavailable for FortiClient (macOS) or (Linux).

Prior to this enhancement, users experienced failed connections when load balancing SSL VPN gateways with one FQDN. The failed connections were due to the DNS server returning results using round robin while FortiClient tried to establish the SSL VPN connection during the login phase, leading to the connections going to different FortiGates.

With this enhancement, before SSL VPN authentication, FortiClient resolves the FQDN to an IP address and saves it to the hosts file. This keeps FortiClient connected to the same FortiGate during the entire tunnel establish process, including authentication and tunnel creation.

To support this feature, the DNS server must return the same IP addresss to multiple name lookup requests (sticky session).

To configure load balancing SSL VPN gateways with one FQDN:
Note

To view and configure SSL VPN settings, you must enable SSL VPN visibility in System Settings > Feature Select. See Feature Select.

  1. Configure multiple remote gateways and map them to one FQDN on the DNS server. In this example, the remote gateways are 172.17.161.168 and 172.17.162.10. The FQDN is fortigatessl.fortinet.local.
  2. In EMS, go to Endpoint Profiles > Remote Access.
  3. Create a VPN tunnel with the following settings:
    1. In Basic Settings, for Type, select SSL VPN.
    2. In the Remote Gateway field, enter the FQDN. In this example, it is fortigatessl.fortinet.local.
    3. In the Port field, enter the port number for SSL VPN tunnel establishment.

    4. In Advanced Settings, enable Enable SAML Login, FQDN Resolution Persistence, and Use External Browser as User-agent for SAML Login.
    5. Configure other settings as desired, and save the profile.

The following shows the XML configuration for this tunnel:

<forticlient_configuration>
    <vpn>
        <enabled>1</enabled>
        <options>
            <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
            <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
            <minimize_window_on_connect>1</minimize_window_on_connect>
            <disable_connect_disconnect>0</disable_connect_disconnect>
            <autoconnect_on_install>0</autoconnect_on_install>
            <suppress_vpn_notification>0</suppress_vpn_notification>
            <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
            <show_negotiation_wnd>0</show_negotiation_wnd>
            <keep_running_max_tries>1</keep_running_max_tries>
            <use_windows_credentials>0</use_windows_credentials>
            <secure_remote_access>0</secure_remote_access>
            <on_os_start_connect/>
            <allow_personal_vpns>1</allow_personal_vpns>
            <show_vpn_before_logon>0</show_vpn_before_logon>
        </options>
        <sslvpn>
            <connections>
                <connection>
                    <name>Test</name>
                    <uid>EC71C6B4-8C6D-460F-A141-F8982338867B</uid>
                    <machine>0</machine>
                    <keep_running>0</keep_running>
                    <username/>
                    <password/>
                    <certificate/>
                    <prompt_certificate>0</prompt_certificate>
                    <prompt_username>1</prompt_username>
                    <fgt>1</fgt>
                    <is_fgd_cloud>0</is_fgd_cloud>
                    <disclaimer_msg/>
                    <sso_enabled>1</sso_enabled>
                    <keep_fqdn_resolution_consistency>1</keep_fqdn_resolution_consistency>
                    <use_external_browser>1</use_external_browser>
                    <azure_auto_login>
                        <enabled>0</enabled>
                        <azure_app>
                            <tenant_name/>
                            <client_id/>
                        </azure_app>
                    </azure_auto_login>
                    <single_user_mode>0</single_user_mode>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <save_username>0</save_username>
                    </ui>
                    <warn_invalid_server_certificate>0</warn_invalid_server_certificate>
                    <redundant_sort_method>0</redundant_sort_method>
                    <RedundantSortMethod>0</RedundantSortMethod>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <server>fortigatessl.fortinet.local:444</server>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                </connection>
            </connections>
            <options>
                <enabled>1</enabled>
                <warn_invalid_server_certificate>0</warn_invalid_server_certificate>
                <dnscache_service_control>0</dnscache_service_control>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                <no_dns_registration>0</no_dns_registration>
            </options>
        </sslvpn>
    </vpn>
</forticlient_configuration>
To verify the configuration:
  1. In FortiClient, on the Remote Access tab, select the desired tunnel from the VPN Name dropdown list.
  2. Click SAML Login.
  3. Open the hosts file. Confirm that an entry was added to resolve the SSL VPN tunnel FQDN:

    # Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 172.17.161.168 fortigatessl.fortinet.local

  4. Enter valid SAML credentials to successfully establish the SSL VPN tunnel.
  5. Confirm that the entry in the hosts file was removed after FortiClient established the SSL VPN tunnel connection:

    # Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost

  6. Disconnect from the VPN tunnel.
  7. Start a new connection to the same VPN tunnel.
  8. Confirm that an entry was added to resolve the SSL VPN tunnel FQDN to a different remote gateway:

    # Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 172.17.162.20 fortigatessl.fortinet.local

  9. Confirm that the entry in the hosts file was removed after FortiClient established the SSL VPN tunnel connection.

Load balancing SSL VPN gateways with one FQDN

Load balancing SSL VPN gateways with one FQDN

When connecting to SSL VPN with an FQDN, FortiClient remembers the IP address with which it contacts the FortiGate and reuses it throughout the connection phase. This feature is available for FortiClient (Windows) and unavailable for FortiClient (macOS) or (Linux).

Prior to this enhancement, users experienced failed connections when load balancing SSL VPN gateways with one FQDN. The failed connections were due to the DNS server returning results using round robin while FortiClient tried to establish the SSL VPN connection during the login phase, leading to the connections going to different FortiGates.

With this enhancement, before SSL VPN authentication, FortiClient resolves the FQDN to an IP address and saves it to the hosts file. This keeps FortiClient connected to the same FortiGate during the entire tunnel establish process, including authentication and tunnel creation.

To support this feature, the DNS server must return the same IP addresss to multiple name lookup requests (sticky session).

To configure load balancing SSL VPN gateways with one FQDN:
Note

To view and configure SSL VPN settings, you must enable SSL VPN visibility in System Settings > Feature Select. See Feature Select.

  1. Configure multiple remote gateways and map them to one FQDN on the DNS server. In this example, the remote gateways are 172.17.161.168 and 172.17.162.10. The FQDN is fortigatessl.fortinet.local.
  2. In EMS, go to Endpoint Profiles > Remote Access.
  3. Create a VPN tunnel with the following settings:
    1. In Basic Settings, for Type, select SSL VPN.
    2. In the Remote Gateway field, enter the FQDN. In this example, it is fortigatessl.fortinet.local.
    3. In the Port field, enter the port number for SSL VPN tunnel establishment.

    4. In Advanced Settings, enable Enable SAML Login, FQDN Resolution Persistence, and Use External Browser as User-agent for SAML Login.
    5. Configure other settings as desired, and save the profile.

The following shows the XML configuration for this tunnel:

<forticlient_configuration>
    <vpn>
        <enabled>1</enabled>
        <options>
            <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
            <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
            <minimize_window_on_connect>1</minimize_window_on_connect>
            <disable_connect_disconnect>0</disable_connect_disconnect>
            <autoconnect_on_install>0</autoconnect_on_install>
            <suppress_vpn_notification>0</suppress_vpn_notification>
            <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
            <show_negotiation_wnd>0</show_negotiation_wnd>
            <keep_running_max_tries>1</keep_running_max_tries>
            <use_windows_credentials>0</use_windows_credentials>
            <secure_remote_access>0</secure_remote_access>
            <on_os_start_connect/>
            <allow_personal_vpns>1</allow_personal_vpns>
            <show_vpn_before_logon>0</show_vpn_before_logon>
        </options>
        <sslvpn>
            <connections>
                <connection>
                    <name>Test</name>
                    <uid>EC71C6B4-8C6D-460F-A141-F8982338867B</uid>
                    <machine>0</machine>
                    <keep_running>0</keep_running>
                    <username/>
                    <password/>
                    <certificate/>
                    <prompt_certificate>0</prompt_certificate>
                    <prompt_username>1</prompt_username>
                    <fgt>1</fgt>
                    <is_fgd_cloud>0</is_fgd_cloud>
                    <disclaimer_msg/>
                    <sso_enabled>1</sso_enabled>
                    <keep_fqdn_resolution_consistency>1</keep_fqdn_resolution_consistency>
                    <use_external_browser>1</use_external_browser>
                    <azure_auto_login>
                        <enabled>0</enabled>
                        <azure_app>
                            <tenant_name/>
                            <client_id/>
                        </azure_app>
                    </azure_auto_login>
                    <single_user_mode>0</single_user_mode>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <save_username>0</save_username>
                    </ui>
                    <warn_invalid_server_certificate>0</warn_invalid_server_certificate>
                    <redundant_sort_method>0</redundant_sort_method>
                    <RedundantSortMethod>0</RedundantSortMethod>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <server>fortigatessl.fortinet.local:444</server>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                </connection>
            </connections>
            <options>
                <enabled>1</enabled>
                <warn_invalid_server_certificate>0</warn_invalid_server_certificate>
                <dnscache_service_control>0</dnscache_service_control>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                <no_dns_registration>0</no_dns_registration>
            </options>
        </sslvpn>
    </vpn>
</forticlient_configuration>
To verify the configuration:
  1. In FortiClient, on the Remote Access tab, select the desired tunnel from the VPN Name dropdown list.
  2. Click SAML Login.
  3. Open the hosts file. Confirm that an entry was added to resolve the SSL VPN tunnel FQDN:

    # Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 172.17.161.168 fortigatessl.fortinet.local

  4. Enter valid SAML credentials to successfully establish the SSL VPN tunnel.
  5. Confirm that the entry in the hosts file was removed after FortiClient established the SSL VPN tunnel connection:

    # Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost

  6. Disconnect from the VPN tunnel.
  7. Start a new connection to the same VPN tunnel.
  8. Confirm that an entry was added to resolve the SSL VPN tunnel FQDN to a different remote gateway:

    # Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 172.17.162.20 fortigatessl.fortinet.local

  9. Confirm that the entry in the hosts file was removed after FortiClient established the SSL VPN tunnel connection.