Basic Guide for VPN Load Balancing with

FortiGSLB and GoDaddy Registrar/DNS

TABLE OF CONTENT

1.1 VERSION HISTORY .....................................................................................................................................3

1.2 TERMS AND ABBREVIATIONS .......................................................................................................................3
INTRODUCTION ......................................................................................................................................................4
SOFTWARE VERSION AND VENDORS USE .................................................................................................................5
TOPOLOGY ............................................................................................................................................................5
GENERAL CONFIGURATIONS ...................................................................................................................................6
REFERENCES ......................................................................................................................................................24

www.fortinet.com
1.1 Version History

Version Date Description Author

1.0 2020-06-29 Initial Draft Rudiger Fogelbach

1.2 Terms and Abbreviations

Term/Abbreviation Description
GSLB Global Server Load Balancing
FQDN Fully Qualified Domain Name
DNS Domain Name Server

www.fortinet.com
Introduction
The Global Server Load Balance (GSLB) is a DNS-based solution that allows you to deploy
redundant resources around the globe that can be leveraged to keep your business online
when a local area deployment experiences unexpected spikes or downtime. This solution is a
good fit for customers looking to deploy redundancy with their VPN gateways for teleworker
solution.

For remote clients who want to connect to the company HQ via VPN, FortiGSLB allows clients
to automatically connect to the FortiGate VPN server that is geographically closest to their
current location. This can also be specified according to FortiGate VPN server availability. In
cases when the VPN server is down, FortiGSLB can redirect users to the next available
FortiGate VPN server in another location or to the same location with a different telco provider.

www.fortinet.com
Software version and vendors use
Solution Vendor/Solution Version
DNS Registrar GoDaddy N/A
GSLB FortiGSLB 20.2.0
VPN Gateway FortiGate/FortiOS v6.2.3 (GA)
VPN Client FortiClient V6.0.6.0242

Topology
We had a regular high redundant multi-datacenter topology, where we has two FortiGates (1
in each site), FortiGSLB as VPN gateway server load balancer and GoDaddy as DNS Registrar
and basic DNS server.

To show case the infrastructure implemented of FGT VPN Gateways, we will have two
FortiGates implemented in Public Cloud. One in AWS and other in Azure. This based on
customer topologies can perfectly be on-prem devices and the configuration of the VPN
should be similar to the ones depicted here.

www.fortinet.com
 Figure 1 – Topology general overview

General configurations
1. General overview of FortiGate configuration

Perform the following step by step guide to establish the service

1. Create new VPN in FortiGate (VPN).
1.1. From the FortiGate console configure SSL VPN Settings:
VPN > SSL-VPN Settings
Select the Listen on Interface(s) to the correspondent WAN links to be used.
Configure the Listen on Port to a define TCP port to be used.
**The rest for the testing purposes could be left as default.**
**Note that other configuration could be hardened based on the internal company
security policies.

www.fortinet.com
 Figure 2 – SSL VPN Settings

1.2. From the FortiGate console validate SSL VPN Portals have the desired access. For the
purpose of this scope we will use Full Access

Figure 3 – SSL VPN Portals

1.3. From the FortiGate console validate SSL VPN Portals have the desired access. For the
purpose of this scope we will use Full Access.
** Note that split tunnel is used only for the purpose of this test, but you should have
proper considerations to use split of full tunnel for the connectivity of the users**

www.fortinet.com
 Figure 4 – SSL VPN Portal Full Access

1.4. The it should be considered the configurations of the users and groups allowed to the
use of this SSL VPN. Regular enterprise practice has considerations for external
services, but for the purpose of this test, there will LOCAL users.
Go to User & Device > User Groups > Create New

Figure 5 – SSL VPN User Group

Go to User & Device > User Definition > Create New

Fill the Username, Password and Enable User Group adding the one created in
previous step.

www.fortinet.com
 Figure 6 – SSL VPN Users

Create as many users/groups

1.5. Finally create the appropriate IPv4 Policy Rule to allow access to the require resources.

Figure 7 – IPv4 Policy Creation

The policies created should be for SSL-VPN Tunnel interface toward the LAN/DMZ
where the accessed resources should be listed, and if required an additional rule to
allow users coming from SSL-VPN tunnel to have Internet access. Basic rules should
look as follow:

www.fortinet.com
 Figure 8 – IPv4 Policy Creation

Figure 9 – IPv4 Policy Creation details

**Note the configuration for Security Profiles has been omitted, for the guide purpose,
but this must be review in terms of the security requirements of the organizations for the
users connecting through this service**

10

www.fortinet.com
 2. General overview of FortiGSLB configuration

2. Configure the FortiGSLB service

2.1. Create an organization to associate the FQDN and other services
Go to (hoover) FortiGSLB Cloud Organization menu > +Create Organization

Figure 10 – FortiGSLB Organization Creation

Add Organization Name* and Region* selecting a country. The click Save

Figure 11 – FortiGSLB Organization Creation Details

Once created the organization will have an IPv4 public address for DNS Server. Take
note as it will be used later:

11

www.fortinet.com
 Figure 11 – FortiGSLB Organization DNS Server

2.2. Create a FQDN in FQDN services. Click on the recently created organization.
Then go to FQDN Services > +Create New
.

Figure 11 – FortiGSLB FQDN Service

Figure 12 – FortiGSLB FQDN Service Creation

12

www.fortinet.com
On the sliding menu, complete the information on the required fills. Name*, Host Name*,
Domain Name* and choose DNS-Query-Origin. Finally click Save.

Figure 13 – FortiGSLB FQDN Service Creation Details

2.3. Create FQDN member and create new Virtual Server Pool.
Once saved the previous configuration, the +Create Member will be available.

13

www.fortinet.com
 Figure 14 – FQDN Member Pool Creation

2.4. Assign a Name* or the member pool creation and click on +Create Vitual Server Pool.

Figure 15 – FQDN Member Pool Creation

In the new screen you should be able to add a pool Name* and click Save.

14

www.fortinet.com
 Figure 16.1 – Server Pool Creation

After saving it will display +Create Member option to add the Virtual Sever

Figure 16.2 – Create Member Virtual Server

2.5. In the Add Member Virtual Server click +Create Virtual Server

15

www.fortinet.com
 Figure 17 – Create Virtual Server

Then click +Create Server

Figure 18 – Create Server

The next menu will have to complete Name*, Type* and Data Center*. The Data Center
field could be left as the default data center or a new Data Center could be created
based on the physical and logical network infrastructure. (For this guide has been left
as default)

16

www.fortinet.com
 Figure 19 – Create Server

2.6. Once created, assign a Name* and an IP address*. (public IPv4 address where the
FortiGate will be listening for SSL VPN traffic). In addition, a health check could be
selected or created to validate availability of the virtual server.

Figure 20 – Create Virtual Server

2.7. Finally complete the validation of the newly added Virtual Server and click Save and
Save in the following screen

17

www.fortinet.com
 Figure 20.1 – Create Virtual Server

Figure 20.1 – Final FQDN Service Config Save

2.8. Perform steps 2.3 to 2.7 to add another Virtual Server as Pool member as the second
VPN Gatway.

After completion the overview Dashboard should look something similar to this:

18

www.fortinet.com
 Figure 21 – Dashboard for FQDN Service

TIPS: It is preferable to create a specific health check per host (IPv4) with a non best-effort
protocol. Avoid using ICMP or other UDP custom health check. The monitoring will work
much better with a reliable TCP/HTTP protocol. For this case health checks we later added
to point to the specific IP with HTTPS as the FortiGate is replying through the interface.

Sample health check:

Figure 22 – Health Check configuration

Go to Health Check > +Create New. The complete the fields Name*, Type*, Method Type
and IPv4 with the correspondent information.

19

www.fortinet.com
 Figure 22.1 – Custom health check.

Figure 22.2 – Custom health check (IPv4 Address)

This last configured health check can be assign to the virtual server configuration that is
correspondent public IPv4 for the selected host (server configured).

20

www.fortinet.com
 Figure 23 – Server health check assignment.

3. General overview of GoDaddy DNS Services configuration

3. Go to the GoDaddy Account under Product and Services:

Figure 24 – GoDaddy DNS Configuration

3.1 Here it will be need to creat 2 records:

3.1.1 A Record Type to point to a Name Server IPv4 assign through FortiGSLB in step
2.1 (In this case 44.225.63.28)

21

www.fortinet.com
 Figure 25 – A Record Type – FortiGSLB DNS

3.1.2 NS Record type to the FQDN created in step 2.2 (in this case vpnservice.fogel-
labs.info)

Figure 26 – NS Record Type for FQDN created

With this configuration and after wating several minutes, Internet DNS will start to reflect the
correspondent changes. Now resolving the DNS FQDN to the proper gateway IP. (based on
location and availability)

4. Verification

nslookup command will be the perfect way validate the configuration in windows
environment. In addition to the FortiClient VPN configuration.

C:\Users\Rudiger Fogelbach>nslookup vpnservice.fogel-labs.info

Server: UnKnown
Address: 44.225.63.28

Name: vpnservice.fogel-labs.info
Addresses: 3.137.191.253
18.218.80.223
22

www.fortinet.com
 Figure 27 – DNS resolution for the two IPv4 Public IPs defined

Configuration of the VPN should be as well be validate:

Figure 28 – SSL VPN client configuration

23

www.fortinet.com
 Figure 28.1 – SSL VPN connected.

Although, in a case of link failure, we will suffer a disconnection; the end-user will be able to
restablish to reconnect to te SSL VPN service through the available link.

References
https://docs.fortinet.com/document/fortiadc-cloud/20.3.0/handbook/395635/overview

https://www.godaddy.com/garage/configuring-and-working-with-domains-dns/

24

www.fortinet.com