I recently deployed 81F HA pair 7.0.5 and multiple end users are reporting intermittent RDP dropouts (10-15 seconds) using FortiClient even though the VPN connection stays up when the dropouts occur.
Using tunnel mode for local subnets and have basic AV, APP, IPS and certificate inspection enabled on the inbound SSL rule. Support is asking me to disable UTM on the inbound rule to resolve the issue. Is this typical for an inbound SSL VPN tunnel rule? I certainly want my RDP users to stay connected but don’t want to sacrifice security.
Well, I’d actually say that applying AV/Appctrl/IPS onto RDP is a waste of effort. RDP is RDP, it’s not a traffic tunnel that can be meaningfully inspected by antivirus and such.
At best you can apply AppCtrl to enforce that the RDP ports are actually used by RDP traffic, and maybe apply IPS to catch some RDP bruteforce, but that’s about it.
I certainly want my RDP users to stay connected but don’t want to sacrifice security.
True, but you’re troubleshooting right now.
If there is a difference when those policies are involved vs when they are not, you can decide how to handle that at that point.
Right now, you have no idea where the issue is.
It may also be the firmware version that contributes to this issue.
I just checked my firewalls (personal and customer managed), and we’re not doing that filtering on the inbound SSLVPN tunnel rule under v6.4.9. Not only does the SSLVPN connection require authentication, but in our case, we have clients running FortiClient, and so we are managing end point security at the end point.
But, regardless of which way you end up choosing, I’d recommend that you disable that inspection to verify if it is having an impact on the VPN traffic.
And if that doesn’t help, consider v7.0.6 which was recently released, and appears to be quite stable from the reports I have seen (I have not tested it personally as yet).
Did you ever figure out what was causing the disconnects? I have a client on a new 60F going through the same things. I had UTM enabled on the incoming and outgoing. I just disabled it to see if it makes any difference.
I don’t think it was UTM related. At the time, I believe it was related to SD-WAN/load balancing mode between multiple ISPs. I set the failover mode to manual (only switch ISP if an SLA fails) and the issues went away but I’m on 7.2.8 now so YMMV.