Fortigate end user testing

This blog on how to configure a simple end user test for your Azure based Fortigate high availability deployment. I have decided to provision a simple end user RDP and IIS test to satisfy the end user test criteria.

The fortigate scenario uses an external Azure load balancer and 3 Fortigate NVA’s configured in Active | Active | Active High Availability.

Routing

Routing consists of 2 layers, namely:

  1. Azure layer – on a virtual network, all the subnets will by default, communicate using the system routing. Default system routing will be overridden by any UDR’s and NSG’s that you create,
  2. The Fortigate NVA’s will require a static route configuration on the NVA to point each port to its respective gateway.

Go to Network > Static Routes and make sure the Gateway IP is correct for the respective subnet upon which each interface resides.

My port 1 resides on subnet01 with cidr 10.0.1.0/27 subnet, so its gateway is 10.0.1.1,

My port2 resides on subnet02 with cidr 10.0.1.32/27 subnet, so its gateway is 10.0.1.33

Step 1 - Azure Load Balancer: Create an additional external interface

On your external Azure load balancer > Frontend IP configuration > Add a new public front end ip address and name the interface easily identifiable eg “RDP”.

Step 2 -Network Security Group

Go to the network security group and add the intended port. In the example, we are going to add “3389” to our inbound rule.

Step 3 - Azure Load Balancer Rule

On your external load balancer > go to your load balancer rules > Add >

Custom descriptive name,

IP version,

Frontend IP address > use the same public ip that you created in step 1,

Backend pool > add your Fortigate backend pool,

Select your frontend/ public port,

Select your backend port,

Select the health probe. (If you deployed via the Fortigate template, then the 8008 probe will already be active on the Fortigate NVA’s),

Select your own session persistence,

Select your own timeout value,

Dont enable TCP reset,

Enable Floating IP,

SNAT access will depend on your environment. If you select the default outbound access, then you will need to create a new public IP per rule.

Step 4 - Fortigate: Setup the Virtual IP

4.1 Setup VIP for internal virtual machine:


Inside your Fortigate NVAs,

Policy & Objects > Virtual IPs > Create New > Virtual IP >
Add a custom name and comment,
Interface = select your public WAN(port1),

External IP address = add your external load balancer RDP new public ip address (that you created in step 1) here (yes, excuse the pip in the picture, its different),
Mapped IP address/ range = add your internal destination RDP host,

Port Forwarding = Enable,
Protocol = TCP,
Port Mapping Type = One-to-One, External Service Port = 3389, #this is your custom port added in the step fronted port
Map to port = 3389 (kept all default ports),
OK,

4.2 Setup VIP for azure app service

Configure the same as above but this time, change the Type to FQDN and in the mapped address, add the apps service url eg allens-web-app.azurewebsites.net

Step 4 - Fortigate: Setup Virtual IP Group

Now add the virtual IP’s to the virtual IP group.

In the portal, go to:
Policy & Objects > Virtual IPs > Create New > Virtual IP Group >
Name and Comment,
Interface = WAN (port1)
Members = add the RDP group from the previous step,
OK

Step 5 -  Fortigate: Setup the Firewall Policy

Add the virtual IP group to the firewall policy.

Firewall Policy > Create new >
Name = RDP Policy,
Incoming interface = WAN (port1),
Outgoing interface = LAN (port2),
Source = All,
Destination = VIP Group (created earlier),
Schedule = always,
Service = All,
Action = Accept,
Inspection Mode = Flow-based,
Comments = RDP,
OK

Step 6 - Validation

Test your mstsc login to the external load balancer RDP port your created, using your custom port and you should successfully RDP login.

1 comment

Leave a comment

Your email address will not be published. Required fields are marked *