Configuring a FortiGate SSL VPN
SSL VPN modes of operation
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
15
SSL VPNs provide secure access to certain applications. Web-only mode
provides remote users with access to server applications from any thin client
computer equipped with a web browser. Tunnel-mode provides remote users with
the ability to connect to the internal network from laptop computers as well as
airport kiosks, Internet cafes, and hotels. Access to SSL VPN applications is
controlled through user groups.
Session failover support
In a FortiGate high availability (HA) cluster with session pickup enabled, session
failover is supported for IPSec VPN tunnels. After an HA failover, IPSec VPN
tunnel sessions will continue with no loss of data.
Session failover is not supported by SSL VPN tunnels, however cookie failover is
supported for communication between the SSL VPN client and the FortiGate unit.
This means that after a failover, the SSL VPN client can re-establish the SSL VPN
session without having to authenticate again. However, all sessions inside the
SSL VPN tunnel with resources behind the FortiGate unit will stop, and will
therefore have to be restarted.
SSL VPN modes of operation
When a remote client connects to the FortiGate unit, the FortiGate unit
authenticates the user based on user name, password, and authentication
domain. A successful login determines the access rights of remote users
according to user group. The user group settings specify whether the connection
will operate in web-only mode (see
“Web-only mode” on page 15
) or tunnel mode
(see
“Tunnel mode” on page 17
).
You can enable a client integrity checker to scan the remote client. The integrity
checker probes the remote client computer to verify that it is “safe” before access
is granted. Security attributes recorded on the client computer (for example, in the
Windows registry, in specific files, or held in memory due to running processes)
are examined and uploaded to the FortiGate unit.
You can enable a cache cleaner to remove any sensitive data that would
otherwise remain on the remote computer after the session ends. For example, all
cache entries, browser history, cookies, encrypted information related to user
authentication, and any temporary data generated during the session are
removed from the remote computer. If the client’s browser cannot install and run
the cache cleaner, the user is not allowed to access the SSL-VPN portal.
Web-only mode
Web-only mode provides remote users with a fast and efficient way to access
server applications from any thin client computer equipped with a web browser.
Web-only mode offers true clientless network access using any web browser that
has built-in SSL encryption and the Sun Java runtime environment.
Support for SSL VPN web-only mode is built into the FortiOS operating system.
The feature comprises an SSL daemon running on the FortiGate unit, and a web
portal, which provides users with access to network services and resources
including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
Содержание FORTIOS V3.0 MR7
Страница 1: ...www fortinet com FortiOS v3 0 MR7 SSL VPN User Guide U S E R G U I D E...
Страница 6: ...FortiOS v3 0 MR7 SSL VPN User Guide 6 01 30007 0348 20080718 Contents...
Страница 84: ...FortiOS v3 0 MR7 SSL VPN User Guide 84 01 30007 0348 20080718 Logging out Working with the web portal...
Страница 88: ...FortiOS v3 0 MR7 SSL VPN User Guide 88 01 30007 0348 20080718 Index...
Страница 89: ...www fortinet com...
Страница 90: ...www fortinet com...