Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

DNS Configuration

DNS Configuration

When the users and devices are on-net, the most optimal path to the servers is from port1 (Clients_LAN) to port2 (DMZ). This is the desired path rather than forcing users to access the server through the ZTNA access proxy.

As such, when users access the internal servers using their FQDN addresses, they must resolve to the real IP addresses of the server instead of the access proxy. There are two options to accomplish this.

  1. On-net and remote users use the same DNS server. However, the DNS server uses different FQDNs to map to the servers for remote users and on-net users.

  2. On-net and remote users use different DNS servers. The same FQDN can be used on the external DNS and internal DNS. However, each DNS will map the server address to a different IP.

In our example, we will use the second approach. For remote users, their DNS server is the FortiGate DNS server, whereas for on-net users, their DNS server is the Windows DNS server.

Previous
Next

DNS Configuration

When the users and devices are on-net, the most optimal path to the servers is from port1 (Clients_LAN) to port2 (DMZ). This is the desired path rather than forcing users to access the server through the ZTNA access proxy.

As such, when users access the internal servers using their FQDN addresses, they must resolve to the real IP addresses of the server instead of the access proxy. There are two options to accomplish this.

  1. On-net and remote users use the same DNS server. However, the DNS server uses different FQDNs to map to the servers for remote users and on-net users.

  2. On-net and remote users use different DNS servers. The same FQDN can be used on the external DNS and internal DNS. However, each DNS will map the server address to a different IP.

In our example, we will use the second approach. For remote users, their DNS server is the FortiGate DNS server, whereas for on-net users, their DNS server is the Windows DNS server.

Previous
Next