background image

FortiOS v3.0 MR7 SSL VPN User Guide

4

01-30007-0348-20080718

Contents

Configuring SSL VPN settings .......................................................................  36

Enabling SSL VPN connections and editing SSL VPN settings  ................  36

Specifying a port number for web portal connections  ................................  38

Specifying an IP address range for tunnel-mode clients ............................  38

Enabling strong authentication through security certificates  ......................  39

Specifying the cipher suite for SSL negotiations ........................................  39

Setting the idle timeout setting  ...................................................................  40

Setting the client authentication timeout setting .........................................  40

Adding a custom caption to the web portal home page  .............................  40

Adding WINS and DNS services for clients ................................................  40

Redirecting a user group to a popup window .............................................  40

Customizing the web portal login page  ......................................................  41

Configuring user accounts and SSL VPN user groups ...............................  42

Configuring firewall policies ..........................................................................  45

Configuring firewall addresses  ............................................................  46

Configuring Web-only firewall policies..................................................  46

Configuring pass through for port-forwarding mode .............................  48

Configuring tunnel-mode firewall policies ............................................  48

Configuring SSL VPN event-logging  ............................................................  50

Monitoring active SSL VPN sessions  ...........................................................  51

Configuring SSL VPN bookmarks and bookmark groups...........................  52

Viewing the SSL VPN bookmark list ...........................................................  52

Configuring SSL VPN bookmarks ...............................................................  53

Viewing the SSL VPN Bookmark Groups list ..............................................  54

Configuring SSL VPN bookmark groups.....................................................  54

Assigning SSL VPN bookmark groups to SSL VPN users .........................  55

SSL VPN host OS patch check.......................................................................  56

Configuration Example .........................................................................  56

Granting unique access permissions for SSL VPN tunnel user groups....  57

Sample configuration for unique access permissions with tunnel mode user 
groups .........................................................................................................  58

SSL VPN virtual interface (ssl.root) ...............................................................  62

SSL VPN dropping connections ....................................................................  64

Working with the web portal ...........................................................  65

Connecting to the FortiGate unit  ..................................................................  65

Web portal home page features  ....................................................................  66

Launching web portal applications  ..............................................................  68

URL re-writing.......................................................................................  68

Adding a bookmark to the My Bookmarks list  ............................................  69

Starting a session from the Tools area  ........................................................  80

Содержание FORTIOS V3.0 MR7

Страница 1: ...www fortinet com FortiOS v3 0 MR7 SSL VPN User Guide U S E R G U I D E...

Страница 2: ...hout prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiAnalyzer FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGu...

Страница 3: ...support 12 Configuring a FortiGate SSL VPN 13 Comparison of SSL and IPSec VPN technology 13 Legacy versus web enabled applications 14 Authentication differences 14 Connectivity considerations 14 Rela...

Страница 4: ...iguring Web only firewall policies 46 Configuring pass through for port forwarding mode 48 Configuring tunnel mode firewall policies 48 Configuring SSL VPN event logging 50 Monitoring active SSL VPN s...

Страница 5: ...FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 5 Tunnel mode features 80 Working with the ActiveX Java Platform plug in 81 Uninstalling the ActiveX Java Platform plugin 83 Logging out 83...

Страница 6: ...FortiOS v3 0 MR7 SSL VPN User Guide 6 01 30007 0348 20080718 Contents...

Страница 7: ...variety of client and server applications When the FortiGate unit provides services in web only mode a secure web connection between the remote client and the FortiGate unit is established using the S...

Страница 8: ...level steps for configuring each mode of operation are also included with cross references to underlying procedures This chapter also details the basic administrative tasks needed to support the two...

Страница 9: ...or your product model number FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall polici...

Страница 10: ...onfigure web only mode and tunnel mode SSL VPN access for remote users through the web based manager FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web based manager Fort...

Страница 11: ...e FortiMail web based email client including how to send and receive email how to add import and export addresses and how to configure message display preferences FortiAnalyzer documentation FortiAnal...

Страница 12: ...ument or any Fortinet technical documentation to techdoc fortinet com Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet syste...

Страница 13: ...erface ssl root SSL VPN dropping connections Comparison of SSL and IPSec VPN technology The FortiGate unit supports both SSL and IPSec VPN technologies Each combines encryption and VPN gateway functio...

Страница 14: ...tivity considerations IPSec supports multiple connections to the same VPN tunnel a number of remote VPN devices effectively become part of the same network SSL forms a connection between two end point...

Страница 15: ...remote users according to user group The user group settings specify whether the connection will operate in web only mode see Web only mode on page 15 or tunnel mode see Tunnel mode on page 17 You can...

Страница 16: ...ers and Internet caf s If the applications on the client computers used by your user community vary greatly you can deploy a dedicated SSL VPN client to any remote client through its web browser The S...

Страница 17: ...Windows 2000 XP 2003 or Vista 32 or 64 bit MacOS X v10 3 9 v10 4 Tiger v10 5 Leopard or Linux Distributions RedHat Fedora Ubuntu Debian or Suse Microsoft Internet Explorer 6 0 or later with ActiveX en...

Страница 18: ...to Subnet_1 through the VPN For more information see Configuring firewall policies on page 45 If your user community needs access to Subnet_2 you would create a second firewall destination IP address...

Страница 19: ...uring user accounts and SSL VPN user groups on page 42 4 Configure the firewall policy and the remaining parameters needed to support the required mode of operation For web only mode operation see Con...

Страница 20: ...user The next time you start the virtual desktop the encrypted data is removed Using the SSL VPN Virtual Desktop On the FortiGate unit GUI under SSL VPN User Group Options the Require Virtual Desktop...

Страница 21: ...Configuring the SSL VPN client FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 21 The FortiGate index page opens 4 Select v3 0 and then MR7 This takes you to the page with firmware images f...

Страница 22: ...s Figure 2 FortiClient SSL VPN InstallShield Wizard welcome screen 7 To run the SSL VPN Virtual Desktop application select Start All Programs FortiNet SSL VPN Virtual Desktop SSL VPN Virtual Desktop T...

Страница 23: ...FortiGate unit replaces the URL with https FG_IP_address port_no proxy http specified_URL and the requested page is displayed 3 To end the session close the browser window To ping a host or server beh...

Страница 24: ...the Fortinet Technologies home page at http support fortinet com and select Support 2 Under Support enter your user name and password This takes you to the Fortinet customer support site 3 Select Fir...

Страница 25: ...r Guide 01 30007 0348 20080718 25 This takes you to the page with firmware images for MR7 5 Select SSL VPN Clients 6 To download the SSL VPN Windows client application select FortiClientSSLVPNSetup_3...

Страница 26: ...ect FortiClient SSL VPN and then Remove Server Address Enter the IP address of the server you need to access Username Enter your user name Password Enter the password associated with your user account...

Страница 27: ...he SSL VPN standalone tunnel client Linux 1 Go to the Fortinet Technologies home page at http support fortinet com and select Support 2 Under Support enter your user name and password This takes you t...

Страница 28: ...package file to a folder and run the client program forticlientsslvpn When you run the install program for the first time you will have to set up system parameters root privileges before you run the...

Страница 29: ...SL VPN client FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 29 The FortiClient SSL VPN tunnel client Linux opens After this initial setup is complete a user with a normal non administrato...

Страница 30: ...nto and double click on forticlientsslvpn The FortiClient SSL VPN tunnel client Linux opens Server Enter the IP address of the server you need to access User Enter your user name Password Enter the pa...

Страница 31: ...This takes you to the Fortinet customer support site 3 Select Firmware Images and then FortiGate The FortiGate index page opens Use Client Certificate A PKCS 12 File File Path Enter the path to the ce...

Страница 32: ...nt application double click on the client file forticlientsslvpn_macosx_3 0 384 dmg The Mac mounts the disk image as forticlientsslvpn 7 Double click the forticlientsslvpn pkg file inside the disk ima...

Страница 33: ...l client MacOS 1 Go to the Applications folder and double click on forticlientsslvpn The FortiClient SSL VPN tunnel client MacOS opens To uninstall the SSL VPN standalone tunnel client MacOS 2 In the...

Страница 34: ...te Management User Guide In addition to setting these preferences on the VPN SSL Config page you may choose to modify the following system settings The FortiGate unit redirects web browsers to the web...

Страница 35: ...ant to enable the use of group certificates for authenticating remote clients select the option Afterward when the remote client initiates a connection the FortiGate unit prompts the client for its cl...

Страница 36: ...rom 10 to 28800 seconds This setting applies to the SSL VPN session The interface does not time out when web application sessions or tunnels are up See Setting the idle timeout setting Portal Message...

Страница 37: ...rtiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers The web browser and the FortiGate unit negotiate a cipher suite before any information fo...

Страница 38: ...fig 2 Select the blue triangle to open the Advanced section 3 Enter the IP addresses of one or two DNS Servers to be provided for the use of clients 4 Enter the IP addresses of one or two WINS Servers...

Страница 39: ...produces unexpected results you can restore the text to the original version To edit the HTML code 1 Go to System Config Replacement Messages 2 Expand the SSL VPN row and select the Edit icon that cor...

Страница 40: ...RADIUS LDAP or PKI user accounts refer to the User chapter of the FortiGate Administration Guide For information about certificate authentication see the FortiGate Certificate Management User Guide To...

Страница 41: ...a time select user names from the Available Users Groups list and select the right pointing arrow to move them to the Members list 5 Select the blue triangle to expand the SSL VPN User Group Options 6...

Страница 42: ...ns determine whether the FortiClient Host Security application or other antivirus firewall applications are running on the client computer before a tunnel is established The host checking function is...

Страница 43: ...web page into the Redirect URL field 14 To display a custom web portal home page caption for this group enter the message in the Customize portal message for this group field Note This custom message...

Страница 44: ...ses or the private IP address of a server or host Tunnel mode The source address corresponds to the public IP address that can be connected to the FortiGate unit This address is used to restrict who c...

Страница 45: ...SL VPN SSL Client Certificate Restrictive Select to allow traffic generated by holders of a shared group certificate for example a user group containing PKI peers users The holders of the group certif...

Страница 46: ...unit Define a firewall policy to support tunnel mode operations A firewall policy specifies the originating source IP address of a packet and the destination address defines the IP address of the int...

Страница 47: ...twork 5 Select OK To define the firewall policy for tunnel mode operations 1 Go to Firewall Policy and select Create New 2 Enter these settings Note To provide access to a single host or server you wo...

Страница 48: ...use any cipher suite select Any To use a 164 bit or greater cipher suite select High 164 To use a 128 bit or greater cipher suite select Medium 128 User Authentication Method Select one of the follow...

Страница 49: ...ttings in the top row to meet your requirements Log messages are displayed beneath the top row Monitoring active SSL VPN sessions You can display a list of all active SSL VPN sessions The list display...

Страница 50: ...work To use the web portal applications you add the URL IP address or name of the server application to the Bookmarks list The bookmarks are available when the user starts an active SSL VPN session Vi...

Страница 51: ...om the drop down list Web Telnet FTP SMB CIFS VNC RDP SSH URL Host Folder Type the information that the FortiGate unit needs to forward client requests to the correct server application or network ser...

Страница 52: ...VPN SSL Bookmark Group Figure 10 Bookmark Group list See also Configuring SSL VPN settings Monitoring active SSL VPN sessions Configuring SSL VPN bookmarks and bookmark groups Viewing the SSL VPN book...

Страница 53: ...available to the SSL VPN users in the selected SSL VPN user group Figure 12 Assigning a bookmark group to a user Name Type the name of the bookmark group The name is displayed in the Bookmark Group li...

Страница 54: ...1 1 1 set sslvpn tunnel endip 10 1 1 10 set sslvpn webapp enable set sslvpn os check enable config sslvpn os check list windows 2000 set action check up to date set latest patch level 3 Variable Desc...

Страница 55: ...dstintf external set srcaddr all set dstaddr 172 18 8 0 24 set action ssl vpn set schedule always set service ANY set groups g1 next end Granting unique access permissions for SSL VPN tunnel user grou...

Страница 56: ...ps in this case 10 1 1 1 10 1 1 100 Figure 14 Enable SSL VPN Settings After enabling SSL VPN you must create the users and then the user groups that require SSL VPN tunnel mode access Go to User Local...

Страница 57: ...ttributes After you create the user groups you need to define the firewall policies to support tunnel mode operations The firewall policy specifies the originating source IP address of a packet and th...

Страница 58: ...stination firewall addresses Public IP Figure 18 Source destination firewall addresses Linux Windows PC After creating the source and destination addresses go to Firewall Policy to create the firewall...

Страница 59: ...User Guide 01 30007 0348 20080718 59 Figure 19 user1 firewall policy The user2 policy is also an SSL VPN firewall policy that includes the applicable source and destination addresses and has group2 a...

Страница 60: ...rs in the firewall policy interface lists and static route interface lists The ssl root interface allows remote user access to additional networks For example the interface facilitates the remote user...

Страница 61: ...vpn Authentication ssl user group s Inbound access policy Source ssl root Source address ip address of remote client Destination internal Destination address internal subnet Action accept Authenticati...

Страница 62: ...e tunnel will start up for a few seconds then shut down This issue occurs when there are multiple interfaces connected to the Internet for example a dual wan configuration To resolve this issue upgrad...

Страница 63: ...Configuring a FortiGate SSL VPN SSL VPN dropping connections FortiOS v3 0 MR7 SSL VPN User Guide 01 30007 0348 20080718 63...

Страница 64: ...FortiOS v3 0 MR7 SSL VPN User Guide 64 01 30007 0348 20080718 SSL VPN dropping connections Configuring a FortiGate SSL VPN...

Страница 65: ...installation to the next If required ask your FortiGate administrator for the URL of the FortiGate unit and obtain a user name and password In addition if you will be using a personal or group securi...

Страница 66: ...er name and password In the Name field type your user name In the Password field type your password 5 Select Login The FortiGate unit will redirect your web browser to the FortiGate SSL VPN Remote Acc...

Страница 67: ...ut you cannot change them Also you can create your own hyperlinks to frequently accessed server applications and start any session from the home page through these hyperlinks See Launching web portal...

Страница 68: ...omputing servers enable you to remotely control another computer for example accessing work from your home computer RDP Remote Desktop Protocol servers have a multi channel protocol that allows users...

Страница 69: ...bscuration in config vpn ssl settings Adding a bookmark to the My Bookmarks list You can add a list of frequently used connections to the web portal home page Afterward select any hyperlink from the M...

Страница 70: ...NC RDP SSH URL Host Name IP or Shared File Folder Type the information that the FortiGate unit needs to forward client requests to the correct server application or network service If the application...

Страница 71: ...In the Host Name IP field type the IP address of the telnet host for example 10 10 10 10 5 Select OK 6 To start a telnet session select the hyperlink that you created 7 Select Connect 8 A telnet sess...

Страница 72: ...elect Add Bookmark 2 In the Title field type a name to represent the connection 3 From the Application Type list select FTP 4 In the Shared File Folder field type the IP address of the FTP host as a r...

Страница 73: ...or subdirectory from the current directory select Delete To rename a file in the current directory select Rename To upload a file from the remote directory to the current directory on your client comp...

Страница 74: ...he view enables you to navigate through the file system and manipulate files in the following ways To download a file from the current directory select the file link in the Name column To create a sub...

Страница 75: ...represent the connection 3 From the Application Type list select VNC 4 In the Host Name IP field type the IP address of the VNC host for example 10 10 10 10 5 Select OK 6 To start a VNC session select...

Страница 76: ...n The format to enter the setting in RDP to Host is yourserver com m fr where fr selects French as the Windows environment Select the code that matches your local installation of Windows for example i...

Страница 77: ...og in to the remote host type your user name and password You must have a user account on the remote host to log in 9 Select Login 10 To end the RDP session select Logout Note The FortiGate unit may o...

Страница 78: ...select SSH 4 In the Host Name IP field type the IP address of the SSH host for example 192 168 1 3 5 Select OK 6 To start a SSH session select the hyperlink that you created 7 Select Connect Note The...

Страница 79: ...y series of valid commands at the system prompt 9 To end the session select Disconnect or type exit and then close the SSH connection window See also Connecting to the FortiGate unit Web portal home p...

Страница 80: ...can be reached or not is displayed To start a telnet session from the Tools area 1 In the Telnet to Host field type the IP address of the telnet host for example 192 168 5 238 2 Select Go 3 Select Con...

Страница 81: ...l Link Status The state of the SSL VPN tunnel Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established Down is displayed when a tunnel connection has not been initiated Byte...

Страница 82: ...initiate a VPN tunnel with the FortiGate unit The IP address of the public FortiGate interface and the TCP port number through which SSL VPN connections are made are displayed in the Server IP field...

Страница 83: ...p the SSL VPN session and disconnect from the FortiGate unit select Disconnect You must log out from the web portal to disconnect from the FortiGate unit see Logging out You can use the Connect button...

Страница 84: ...FortiOS v3 0 MR7 SSL VPN User Guide 84 01 30007 0348 20080718 Logging out Working with the web portal...

Страница 85: ...abling SSL VPN 36 connectivity testing for 24 80 customer service 12 D deployment topology 19 documentation commenting on 12 Fortinet 9 downloading Linux client 28 MacOS client 32 Windows client 25 E...

Страница 86: ...lient 32 downloading Windows client 25 enabling connections 36 event logging 50 host OS patch check 56 introduction to FortiGate 7 modes of operation 7 monitoring sessions 51 setting the cipher suite...

Страница 87: ...tion to home page 40 applications 68 customizing login page 41 Fortinet SSL VPN Client area 80 82 home page features 66 redirecting to popup window 40 setting login page port number 38 Tools area 68 t...

Страница 88: ...FortiOS v3 0 MR7 SSL VPN User Guide 88 01 30007 0348 20080718 Index...

Страница 89: ...www fortinet com...

Страница 90: ...www fortinet com...

Отзывы: