Identity Awareness with AD not possible

G_W_Albrecht · ‎2025-03-25

Customer uses VPN with the GAiA cluster of the main site as center and SMB appliances (locally & SMP managed) on remote sites. As the SMBs also need to connect by VPN to a FortiGate, their external IPs have been removed from Encryption Domain using the Advanced Settings. This configuration was build with help of CP TAC and works as expected.

But now the customer wants to use IA for his users with an AD server at the main site - but IA packets use the external IP of the SMB and are not routed thru VPN to the main site, making the needed communication impossible.

Did anyone already encounter such an obstacle and found a way to resolve it ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Chris_Atkinson · ‎2025-03-25

I recall another option in Advanced Settings that caters to similar.

Will share a screenshot accordingly, but applicability to central managed devices would need to be checked/confirmed with TAC perhaps.

"VPN site to site global settings - Use internal IP address for encrypted connections from local gateway."

CCSM R77/R80/ELITE

G_W_Albrecht · ‎2025-03-25

This is locally managed and VPN site to site global settings are already used as advised by TAC:

"Do not encrypt connections originating from the local gateway" in VPN->Community resolved the Forti VPN issue and does disable "Use internal IP address for encrypted connections from local gateway" = TRUE automatically, so the ping from WebGUI thru the VPN tunnel does not work, only from CLI using ping -I <Local Address> it succeeds.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

AkosBakos · ‎2025-03-25

Hi @G_W_Albrecht

Maybe you are looking for this:

How to configure an alternate IP Address for Identity Awareness communication channel

Be careful before you change anything in the database. Save/backup everything 🙂

Akos

----------------
\m/_(>_<)_\m/

G_W_Albrecht · ‎2025-03-25

Thank you, forgot about that sk ! But it can not work - as written above, customer has SMB appliances (locally & SMP managed), so changing the SMS database does not help as the SMS only manages the main GAiA GW, but not the SMBs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

AkosBakos · ‎2025-03-25

Indeed, I always forget that, you have always tricky and detailed questions... and SMB-s 🙂

----------------
\m/_(>_<)_\m/

G_W_Albrecht · ‎2025-03-25

Remember - this is the SMB Gateways (Spark) board 😉 With GAiA this would be no issue at all as you could use the Encryption Domain per VPN Community feature and define different Communities for VPNs to CP and Forti. But that is impossible <yet with SMBs...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Dafna · ‎2025-03-26

Hi,

Can you please attach the topology?

Why did you exclude the external IP?

G_W_Albrecht · ‎2025-03-26

Customer has ca 73 SMBs locally Managed by SMP that each have a tunnel to a Fortigate (that is the reason why the external IP must be excluded (can send you a PM with SR# - this was configured by TAC)) and to the main Site GAiA cluster who sits in front of the AD.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Identity Awareness with AD not possible