Description
Once a manually virtual IP address has been set on the FortiClient the dialer can use an IP address belonging to the protected subnet it is connecting to. This means the subnet must be directly connected to the Fortigate so that the Fortigate can proxy ARP the dialer. Therefore it is possible to configure the FortiClient this way, however this article will highlight potential dangers in doing so and why best practice is to configure alternatively.
Scope
All FortiClient users
Solution
Best Practice is to have an IP address that is statically assigned and unique to the dialer therefore an address which is not part of the protected subnet. If a user configures its own FortiClient VIP can lead to an IP address conflict with an address already assigned on the protected subnet. In the case where this conflict would be with an internal server this would obviously result in this server becoming unavailable as a network resource.
Therefore even though it is possible to configure a FortiClient VIP on the same subnet as the protected sub-net , the best option is to choose a different address from a different subnet for the FortiClient VIP. A further advantage to this being that it will also be easier to trace this Client when collecting logs and user information , as if this Client is on a different subnet it will help distinguish on the internal syslog server logs whether this user is a local user or a dialup user.
