1

Our VPN clients (RAS on Server 2012 R2) seem to be registering their local IP from their home router in our DNS. e.g. 192.168.0.2

I’m trying to get them to update DNS with an IP on our corporate subnet, so that I can deploy software etc via domain name (I can connect via the assigned IP via the RAS server, but DNS is not updating to reflect this assigned IP)

We have a Fortigate firewall and was wondering if I could use a NAT rule on our incoming traffic to a dynamic pool? I have an IP range ready for this but unsure what dynamic pool ‘type’ I would use. The pool would be a range on our subnet.

I’ve also read about possibly setting up a VDOM to achieve this, but having never done this before, just wondered if any of you had run into similar issues/if there’s an easier workaround.

Thanks in advance

11 Spice ups
2

so you are not using forticlient for remote sessions? I ask because I have read that it requires the newer paid version of forticlient to register only the VPN address you give the remote user instead of the IP they get from their local router.

1 Spice up
3

We’re not using the FortiGate VPN/Forticlient for that reason I’m afraid.

We’re a small business so trying to keep costs down.

The Always on VPN works like a charm, it’s just this DNS issue I can’t resolve. There’s a NAT option on our incoming traffic policy to the VPN server, but I guess this won’t help as it’s simply forwarding traffic to the RAS (VPN).

4

The clients should not be registering local ip.

What exact vpn config - you mention always on? How is the VPN client/adpater settings configured - make sure these are set to register in DNS and it should register with the IP given by RRAS.

1 Spice up
5

Just to clarify, is the issue the DNS settings on the remote user side? If so, what is serving DHCP for your VPN network? That would likely be the culprit. I don’t have anything to offer in the way of Fortigate. I know on Palo firewalls, you can serve DCHP from the device itself or forward to another DHCP server for the desired network(s) including client-based VPN.

1 Spice up
6

okay, so do they always work from home, or do they go back and forth between home and office?

I found one solution was to have the ssl vpn adapter checked to register with DNS, then remove it for the local lan or wireless adapter.

that got our remote uses to only register the IP they received via VPN, but if they were to come into the office we would have a problem.

1 Spice up
7

dns.png

Clients are set to register (default setting for Windows 10). This is what I cannot make out.

We’ve configured the always on VPN as per the official MS tutorial - Tutorial - Set up infrastructure for Always On VPN | Microsoft Learn

8

Domain controller is serving DHCP but I’ve configured the RAS to use a static IP pool so DHCP is not used.

Addresses are being assigned correctly by the RAS, but DNS is not updating correctly (despite the adapter settings being correct. see my other screenshot in the comments)

Thanks

9

It was 50/50 before lockdown but everyone is remote working at present.

So unticking this box was your solution for remote workers?

dns.png

1 Spice up
10

that is what we did. it only registered the IP they received via VPN,

2 Spice ups
11

I’ve been using Forticlient for years and have never run into this. We’re on 6.2 now. What version requires the paid version of forticlient to register the VPN address?

12

This is what I would suggest as well. Very nice work Captain James T Kirk. OP, let us know if this fixes your issue.

1 Spice up
13

this to register ONLY the VPN address, and not both.

14

Just done a test and it worked. Marked as best answer. Thanks you very much Captain Kirk!