I was presented with a scenario the other day where we had two sites connected with a Site-to-Site VPN. The VPN was up and working great, but FSSO and LDAP would not connect to servers on the other side of the VPN for lookups.
This made sense because I knew the fortigate was using its outside (Public) IP for lookups and obviously that was not in my Phase 2 subnets to encrypt. So how can I change this?
Note, these steps change the source IP that the FGT uses to query LDAP or FSSO.
There are options in both objects (FSSO, and LDAP) In CLI to change the source IP address. See below
LDAP Source IP change
First log in through CLI, and edit the object, Then set the source IP. Once you end the CLI session it should be changed.
Now set the source IP address of the connection
Once you enter this and then end the session via the key word ‘end’ you will set the command.
Before moving on to the FSSO settings, here is a list of options available:
FSSO Source IP change
In CLI edit the FSSO object with the below commands, modify the source IP as below, and end the console to set the commands.
Once you enter this and then end the session via the key word ‘end’ you will set the command
That should be it! You modified your source IP to something in the encryption domain and it should now talk to the remote side and be able to do lookups.
Just in case below are all the options available under the FSSO.