Resilient VPN Connection using Fortigate

Introduction

As a technology-driven company, Halodoc relies on multiple web-based applications for its operations, including Control Center, Metabase, Looker, and the HRIS system. These applications are accessed not only from the office but also remotely, as Halodoc implements a Work From Home (WFH) policy. To enable access from anywhere, the applications must be hosted publicly, which inevitably introduces potential security risks.

Hosting applications publicly exposes internal systems to the open internet where malicious actors can attempt to exploit vulnerabilities. For example, attackers could try brute-force login attempts, perform SQL injection or cross-site scripting (XSS) on poorly secured web applications, or launch Distributed Denial of Service (DDoS) attacks to disrupt access. Beyond external threats, there is also the risk of unauthorized internal access, such as ex-employees or contractors still possessing valid credentials. Without proper safeguards such as VPN, SSO, and strict IAM policies, these risks could compromise sensitive operational data and disrupt critical business processes.

To address these challenges, Halodoc has implemented several measures to balance security, availability, and scalability, where the solution used is VPN from FortiGate with its FortiVPN client, including:

• Split Tunneling and NAT Policies: Configuring FortiGate VPN to safeguard internal traffic while optimizing bandwidth usage.
• High Availability via DNS Failover: Deploying redundant FortiGate servers in Jakarta and Bangalore, with an AWS-based fallback for business continuity.
• Single Sign-On (SSO) Integration: Enhancing security and simplifying identity management through centralized authentication.
• Addressing Scalability Challenges: Managing differences in server capacity and bandwidth to prioritize critical operations.

The following sections detail how these implementations strengthen Halodoc’s VPN architecture and overall security posture, by minimizing the possibilities of threats that arise from both external and internal while ensuring continuous, secure, and efficient access to critical operational systems.

Restricting Operational Website Access via VPN

Access to internal operational websites can only be performed when the user is directly connected to the office network or via the FortiGate VPN connection. This measure is implemented to prevent unauthorized public access, safeguard confidentiality, and ensure data integrity by using split tunnel and NAT (Network Address Translation).

1. Split tunneling based on destination policy is a method of dividing client network routes based on the Firewall Policies in place, ensuring that only destinations specified in the firewall policies will go through the SSL VPN. This method keeps internal traffic protected while making VPN server bandwidth usage more efficient.

config global
config vpn ssl web portal
    edit "split-tunnel-portal"
        set tunnel-mode enable
        set split-tunneling enable
        set split-tunneling-routing-address "policy"
    next
end

2. NAT is enabled on the firewall policy so that all client source addresses to the internal website from VPN users are translated using the office’s public IP. This allows backend systems to only accept access from registered (whitelisted) IPs.

config firewall policy
    edit 10
        set nat enable
    next
end

High Availability Architecture via DNS Failover

To maintain service availability, we use two active-active redundant servers with DNS failover pointing to each server.

1. The redundant VPN setup consists of two FortiGate devices acting as VPN servers, each with a different domain:

• jkt.domain.com (Location: Jakarta)
• blr.domain.com (Location: Bangalore)

2. Each domain points to multiple public IPs of the Fortigate devices with a failover mechanism that allows the DNS manager to prioritize the public IPs using health checks to periodically monitor ping responses. If the primary priority receives no ping response, the DNS manager will redirect to the secondary priority.
3. In an emergency situation that causes jkt.domain.com to fail completely, employees can use blr.domain.com to continue accessing the internal system for operational purposes.
4. As an additional emergency scenario, an AWS-based VPN connection is available, activated only if both main servers (Jakarta and Bangalore) fail simultaneously. Given their geographically distant locations, this occurrence is highly unlikely, but it is prepared for business continuity purposes.

Strengthening FortiVPN Security with Single Sign-On (SSO)

Single Sign-On (SSO) in FortiVPN adds an extra layer of security while simplifying user identity management. By integrating authentication with an Identity Provider (IdP), companies are no longer dependent on local credentials that are difficult to manage. Administrators can centrally manage access through IAM systems, ensuring every VPN login is monitored, protected with Multi-Factor Authentication (MFA), and aligned with the organization’s security policies.

The greatest advantage of SSO is the efficiency it brings to employee identity lifecycle management. When a new employee joins, simply adding their account in the IdP automatically grants VPN access based on their role. Likewise, when an employee resigns, disabling their account in the IdP immediately cuts off all VPN access without the need for manual changes across multiple systems. With this integration, FortiVPN is not only a secure connectivity solution but also a vital part of an IAM-driven security strategy that safeguards confidentiality, integrity, and business continuity.

Scalability Challenges: Differences in VPN Server Specifications

Implementing two FortiGate servers comes with technical challenges, notably:

• Different maximum active VPN connection capacities: blr.domain.com client supports lower than jkt.domain.com
• Limited bandwidth at the Bangalore site, requiring connections to be prioritized for divisions handling 24/7 production operations.

In a failover scenario to Bangalore, access redirection is done selectively based on division priorities to ensure production processes continue without disruption.

Conclusion

By combining FortiGate VPN, split tunneling, NAT policies, and DNS-based failover, we are able to establish a secure and resilient access layer for internal operational systems by minimizing the possibilities of threats arise from both external and internal. These measures ensure that only authorized users can connect, internal traffic remains protected, and service availability is maintained even in failure scenarios. The addition of Single Sign-On (SSO) further strengthens this architecture by centralizing identity management, simplifying user lifecycle operations, and integrating security with IAM best practices.

Although scalability challenges remain—such as differences in VPN server specifications and bandwidth constraints between sites—careful prioritization of critical divisions ensures business continuity is preserved. Overall, this layered approach not only enhances the confidentiality, integrity, and availability of internal systems but also supports a scalable and future-ready security framework for operational excellence.

About Halodoc

Halodoc is the number one all-around healthcare application in Indonesia. Our mission is to simplify and deliver quality healthcare across Indonesia, from Sabang to Merauke. Since 2016, Halodoc has been improving health literacy in Indonesia by providing user-friendly healthcare communication, education, and information (KIE). In parallel, our ecosystem has expanded to offer a range of services that facilitate convenient access to healthcare, starting with Homecare by Halodoc as a preventive care feature that allows users to conduct health tests privately and securely from the comfort of their homes; My Insurance, which allows users to access the benefits of cashless outpatient services in a more seamless way; Chat with Doctor, which allows users to consult with over 20,000 licensed physicians via chat, video or voice call; and Health Store features that allow users to purchase medicines, supplements and various health products from our network of over 4,900 trusted partner pharmacies. To deliver holistic health solutions in a fully digital way, Halodoc offers Digital Clinic services including Haloskin, a trusted dermatology care platform guided by experienced dermatologists.We are proud to be trusted by global and regional investors, including the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek, and many more. With over USD 100 million raised to date, including our recent Series D, our team is committed to building the best personalized healthcare solutions — and we remain steadfast in our journey to simplify healthcare for all Indonesians.