background image

FortiOS v3.0 MR7 SSL VPN User Guide

64

01-30007-0348-20080718

SSL VPN dropping connections

Configuring a FortiGate SSL VPN

Summary of Contents for FORTIOS V3.0 MR7

Page 1: ...www fortinet com FortiOS v3 0 MR7 SSL VPN User Guide U S E R G U I D E...

Page 2: ...hout prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiAnalyzer FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGu...

Page 3: ...support 12 Configuring a FortiGate SSL VPN 13 Comparison of SSL and IPSec VPN technology 13 Legacy versus web enabled applications 14 Authentication differences 14 Connectivity considerations 14 Rela...

Page 4: ...iguring Web only firewall policies 46 Configuring pass through for port forwarding mode 48 Configuring tunnel mode firewall policies 48 Configuring SSL VPN event logging 50 Monitoring active SSL VPN s...

Page 5: ...FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 5 Tunnel mode features 80 Working with the ActiveX Java Platform plug in 81 Uninstalling the ActiveX Java Platform plugin 83 Logging out 83...

Page 6: ...FortiOS v3 0 MR7 SSL VPN User Guide 6 01 30007 0348 20080718 Contents...

Page 7: ...variety of client and server applications When the FortiGate unit provides services in web only mode a secure web connection between the remote client and the FortiGate unit is established using the S...

Page 8: ...level steps for configuring each mode of operation are also included with cross references to underlying procedures This chapter also details the basic administrative tasks needed to support the two...

Page 9: ...or your product model number FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall polici...

Page 10: ...onfigure web only mode and tunnel mode SSL VPN access for remote users through the web based manager FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web based manager Fort...

Page 11: ...e FortiMail web based email client including how to send and receive email how to add import and export addresses and how to configure message display preferences FortiAnalyzer documentation FortiAnal...

Page 12: ...ument or any Fortinet technical documentation to techdoc fortinet com Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet syste...

Page 13: ...erface ssl root SSL VPN dropping connections Comparison of SSL and IPSec VPN technology The FortiGate unit supports both SSL and IPSec VPN technologies Each combines encryption and VPN gateway functio...

Page 14: ...tivity considerations IPSec supports multiple connections to the same VPN tunnel a number of remote VPN devices effectively become part of the same network SSL forms a connection between two end point...

Page 15: ...remote users according to user group The user group settings specify whether the connection will operate in web only mode see Web only mode on page 15 or tunnel mode see Tunnel mode on page 17 You can...

Page 16: ...ers and Internet caf s If the applications on the client computers used by your user community vary greatly you can deploy a dedicated SSL VPN client to any remote client through its web browser The S...

Page 17: ...Windows 2000 XP 2003 or Vista 32 or 64 bit MacOS X v10 3 9 v10 4 Tiger v10 5 Leopard or Linux Distributions RedHat Fedora Ubuntu Debian or Suse Microsoft Internet Explorer 6 0 or later with ActiveX en...

Page 18: ...to Subnet_1 through the VPN For more information see Configuring firewall policies on page 45 If your user community needs access to Subnet_2 you would create a second firewall destination IP address...

Page 19: ...uring user accounts and SSL VPN user groups on page 42 4 Configure the firewall policy and the remaining parameters needed to support the required mode of operation For web only mode operation see Con...

Page 20: ...user The next time you start the virtual desktop the encrypted data is removed Using the SSL VPN Virtual Desktop On the FortiGate unit GUI under SSL VPN User Group Options the Require Virtual Desktop...

Page 21: ...Configuring the SSL VPN client FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 21 The FortiGate index page opens 4 Select v3 0 and then MR7 This takes you to the page with firmware images f...

Page 22: ...s Figure 2 FortiClient SSL VPN InstallShield Wizard welcome screen 7 To run the SSL VPN Virtual Desktop application select Start All Programs FortiNet SSL VPN Virtual Desktop SSL VPN Virtual Desktop T...

Page 23: ...FortiGate unit replaces the URL with https FG_IP_address port_no proxy http specified_URL and the requested page is displayed 3 To end the session close the browser window To ping a host or server beh...

Page 24: ...the Fortinet Technologies home page at http support fortinet com and select Support 2 Under Support enter your user name and password This takes you to the Fortinet customer support site 3 Select Fir...

Page 25: ...r Guide 01 30007 0348 20080718 25 This takes you to the page with firmware images for MR7 5 Select SSL VPN Clients 6 To download the SSL VPN Windows client application select FortiClientSSLVPNSetup_3...

Page 26: ...ect FortiClient SSL VPN and then Remove Server Address Enter the IP address of the server you need to access Username Enter your user name Password Enter the password associated with your user account...

Page 27: ...he SSL VPN standalone tunnel client Linux 1 Go to the Fortinet Technologies home page at http support fortinet com and select Support 2 Under Support enter your user name and password This takes you t...

Page 28: ...package file to a folder and run the client program forticlientsslvpn When you run the install program for the first time you will have to set up system parameters root privileges before you run the...

Page 29: ...SL VPN client FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 29 The FortiClient SSL VPN tunnel client Linux opens After this initial setup is complete a user with a normal non administrato...

Page 30: ...nto and double click on forticlientsslvpn The FortiClient SSL VPN tunnel client Linux opens Server Enter the IP address of the server you need to access User Enter your user name Password Enter the pa...

Page 31: ...This takes you to the Fortinet customer support site 3 Select Firmware Images and then FortiGate The FortiGate index page opens Use Client Certificate A PKCS 12 File File Path Enter the path to the ce...

Page 32: ...nt application double click on the client file forticlientsslvpn_macosx_3 0 384 dmg The Mac mounts the disk image as forticlientsslvpn 7 Double click the forticlientsslvpn pkg file inside the disk ima...

Page 33: ...l client MacOS 1 Go to the Applications folder and double click on forticlientsslvpn The FortiClient SSL VPN tunnel client MacOS opens To uninstall the SSL VPN standalone tunnel client MacOS 2 In the...

Page 34: ...te Management User Guide In addition to setting these preferences on the VPN SSL Config page you may choose to modify the following system settings The FortiGate unit redirects web browsers to the web...

Page 35: ...ant to enable the use of group certificates for authenticating remote clients select the option Afterward when the remote client initiates a connection the FortiGate unit prompts the client for its cl...

Page 36: ...rom 10 to 28800 seconds This setting applies to the SSL VPN session The interface does not time out when web application sessions or tunnels are up See Setting the idle timeout setting Portal Message...

Page 37: ...rtiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers The web browser and the FortiGate unit negotiate a cipher suite before any information fo...

Page 38: ...fig 2 Select the blue triangle to open the Advanced section 3 Enter the IP addresses of one or two DNS Servers to be provided for the use of clients 4 Enter the IP addresses of one or two WINS Servers...

Page 39: ...produces unexpected results you can restore the text to the original version To edit the HTML code 1 Go to System Config Replacement Messages 2 Expand the SSL VPN row and select the Edit icon that cor...

Page 40: ...RADIUS LDAP or PKI user accounts refer to the User chapter of the FortiGate Administration Guide For information about certificate authentication see the FortiGate Certificate Management User Guide To...

Page 41: ...a time select user names from the Available Users Groups list and select the right pointing arrow to move them to the Members list 5 Select the blue triangle to expand the SSL VPN User Group Options 6...

Page 42: ...ns determine whether the FortiClient Host Security application or other antivirus firewall applications are running on the client computer before a tunnel is established The host checking function is...

Page 43: ...web page into the Redirect URL field 14 To display a custom web portal home page caption for this group enter the message in the Customize portal message for this group field Note This custom message...

Page 44: ...ses or the private IP address of a server or host Tunnel mode The source address corresponds to the public IP address that can be connected to the FortiGate unit This address is used to restrict who c...

Page 45: ...SL VPN SSL Client Certificate Restrictive Select to allow traffic generated by holders of a shared group certificate for example a user group containing PKI peers users The holders of the group certif...

Page 46: ...unit Define a firewall policy to support tunnel mode operations A firewall policy specifies the originating source IP address of a packet and the destination address defines the IP address of the int...

Page 47: ...twork 5 Select OK To define the firewall policy for tunnel mode operations 1 Go to Firewall Policy and select Create New 2 Enter these settings Note To provide access to a single host or server you wo...

Page 48: ...use any cipher suite select Any To use a 164 bit or greater cipher suite select High 164 To use a 128 bit or greater cipher suite select Medium 128 User Authentication Method Select one of the follow...

Page 49: ...ttings in the top row to meet your requirements Log messages are displayed beneath the top row Monitoring active SSL VPN sessions You can display a list of all active SSL VPN sessions The list display...

Page 50: ...work To use the web portal applications you add the URL IP address or name of the server application to the Bookmarks list The bookmarks are available when the user starts an active SSL VPN session Vi...

Page 51: ...om the drop down list Web Telnet FTP SMB CIFS VNC RDP SSH URL Host Folder Type the information that the FortiGate unit needs to forward client requests to the correct server application or network ser...

Page 52: ...VPN SSL Bookmark Group Figure 10 Bookmark Group list See also Configuring SSL VPN settings Monitoring active SSL VPN sessions Configuring SSL VPN bookmarks and bookmark groups Viewing the SSL VPN book...

Page 53: ...available to the SSL VPN users in the selected SSL VPN user group Figure 12 Assigning a bookmark group to a user Name Type the name of the bookmark group The name is displayed in the Bookmark Group li...

Page 54: ...1 1 1 set sslvpn tunnel endip 10 1 1 10 set sslvpn webapp enable set sslvpn os check enable config sslvpn os check list windows 2000 set action check up to date set latest patch level 3 Variable Desc...

Page 55: ...dstintf external set srcaddr all set dstaddr 172 18 8 0 24 set action ssl vpn set schedule always set service ANY set groups g1 next end Granting unique access permissions for SSL VPN tunnel user grou...

Page 56: ...ps in this case 10 1 1 1 10 1 1 100 Figure 14 Enable SSL VPN Settings After enabling SSL VPN you must create the users and then the user groups that require SSL VPN tunnel mode access Go to User Local...

Page 57: ...ttributes After you create the user groups you need to define the firewall policies to support tunnel mode operations The firewall policy specifies the originating source IP address of a packet and th...

Page 58: ...stination firewall addresses Public IP Figure 18 Source destination firewall addresses Linux Windows PC After creating the source and destination addresses go to Firewall Policy to create the firewall...

Page 59: ...User Guide 01 30007 0348 20080718 59 Figure 19 user1 firewall policy The user2 policy is also an SSL VPN firewall policy that includes the applicable source and destination addresses and has group2 a...

Page 60: ...rs in the firewall policy interface lists and static route interface lists The ssl root interface allows remote user access to additional networks For example the interface facilitates the remote user...

Page 61: ...vpn Authentication ssl user group s Inbound access policy Source ssl root Source address ip address of remote client Destination internal Destination address internal subnet Action accept Authenticati...

Page 62: ...e tunnel will start up for a few seconds then shut down This issue occurs when there are multiple interfaces connected to the Internet for example a dual wan configuration To resolve this issue upgrad...

Page 63: ...Configuring a FortiGate SSL VPN SSL VPN dropping connections FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 63...

Page 64: ...FortiOS v3 0 MR7 SSL VPN User Guide 64 01 30007 0348 20080718 SSL VPN dropping connections Configuring a FortiGate SSL VPN...

Page 65: ...installation to the next If required ask your FortiGate administrator for the URL of the FortiGate unit and obtain a user name and password In addition if you will be using a personal or group securi...

Page 66: ...er name and password In the Name field type your user name In the Password field type your password 5 Select Login The FortiGate unit will redirect your web browser to the FortiGate SSL VPN Remote Acc...

Page 67: ...ut you cannot change them Also you can create your own hyperlinks to frequently accessed server applications and start any session from the home page through these hyperlinks See Launching web portal...

Page 68: ...omputing servers enable you to remotely control another computer for example accessing work from your home computer RDP Remote Desktop Protocol servers have a multi channel protocol that allows users...

Page 69: ...bscuration in config vpn ssl settings Adding a bookmark to the My Bookmarks list You can add a list of frequently used connections to the web portal home page Afterward select any hyperlink from the M...

Page 70: ...NC RDP SSH URL Host Name IP or Shared File Folder Type the information that the FortiGate unit needs to forward client requests to the correct server application or network service If the application...

Page 71: ...In the Host Name IP field type the IP address of the telnet host for example 10 10 10 10 5 Select OK 6 To start a telnet session select the hyperlink that you created 7 Select Connect 8 A telnet sess...

Page 72: ...elect Add Bookmark 2 In the Title field type a name to represent the connection 3 From the Application Type list select FTP 4 In the Shared File Folder field type the IP address of the FTP host as a r...

Page 73: ...or subdirectory from the current directory select Delete To rename a file in the current directory select Rename To upload a file from the remote directory to the current directory on your client comp...

Page 74: ...he view enables you to navigate through the file system and manipulate files in the following ways To download a file from the current directory select the file link in the Name column To create a sub...

Page 75: ...represent the connection 3 From the Application Type list select VNC 4 In the Host Name IP field type the IP address of the VNC host for example 10 10 10 10 5 Select OK 6 To start a VNC session select...

Page 76: ...n The format to enter the setting in RDP to Host is yourserver com m fr where fr selects French as the Windows environment Select the code that matches your local installation of Windows for example i...

Page 77: ...og in to the remote host type your user name and password You must have a user account on the remote host to log in 9 Select Login 10 To end the RDP session select Logout Note The FortiGate unit may o...

Page 78: ...select SSH 4 In the Host Name IP field type the IP address of the SSH host for example 192 168 1 3 5 Select OK 6 To start a SSH session select the hyperlink that you created 7 Select Connect Note The...

Page 79: ...y series of valid commands at the system prompt 9 To end the session select Disconnect or type exit and then close the SSH connection window See also Connecting to the FortiGate unit Web portal home p...

Page 80: ...can be reached or not is displayed To start a telnet session from the Tools area 1 In the Telnet to Host field type the IP address of the telnet host for example 192 168 5 238 2 Select Go 3 Select Con...

Page 81: ...l Link Status The state of the SSL VPN tunnel Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established Down is displayed when a tunnel connection has not been initiated Byte...

Page 82: ...initiate a VPN tunnel with the FortiGate unit The IP address of the public FortiGate interface and the TCP port number through which SSL VPN connections are made are displayed in the Server IP field...

Page 83: ...p the SSL VPN session and disconnect from the FortiGate unit select Disconnect You must log out from the web portal to disconnect from the FortiGate unit see Logging out You can use the Connect button...

Page 84: ...FortiOS v3 0 MR7 SSL VPN User Guide 84 01 30007 0348 20080718 Logging out Working with the web portal...

Page 85: ...abling SSL VPN 36 connectivity testing for 24 80 customer service 12 D deployment topology 19 documentation commenting on 12 Fortinet 9 downloading Linux client 28 MacOS client 32 Windows client 25 E...

Page 86: ...lient 32 downloading Windows client 25 enabling connections 36 event logging 50 host OS patch check 56 introduction to FortiGate 7 modes of operation 7 monitoring sessions 51 setting the cipher suite...

Page 87: ...tion to home page 40 applications 68 customizing login page 41 Fortinet SSL VPN Client area 80 82 home page features 66 redirecting to popup window 40 setting login page port number 38 Tools area 68 t...

Page 88: ...FortiOS v3 0 MR7 SSL VPN User Guide 88 01 30007 0348 20080718 Index...

Page 89: ...www fortinet com...

Page 90: ...www fortinet com...

Reviews: