Академический Документы
Профессиональный Документы
Культура Документы
SSL VPN
SSL is an easy to use application-level network independent method of ensuring private communication over the Internet. Commonly used to protect the privacy of online shopping payments, customers web browsers can almost transparently switch to using SSL for secure communication without customers being required to do any SSL-related configuration or have any extra SSL-related software. SSL protection can also be applied to secure communication over the Internet between client PCs and a remote network using SSL VPN. For basic SSL VPN functionality all a user needs to do to access an SSL VPN is to browse to the IP address of a FortiGate unit configured for SSL VPN. The users do not require any special SSL VPN software or configuration since SSL in the form of HTTPS is automatically enabled by most web browsers. The FortiGate SSL VPN configuration requires an SSL VPN web portal for SSL VPN users to log into, the addition of a user authentication configuration to allow SSL VPN users to login and then the creation of SSL VPN security policies that control the source and destination access of SSL VPN users. SSL VPN security policies can also apply UTM and other security features to all SSL VPN traffic. FortiASIC processors can accelerate SSL VPN encryption, optimizing SSL VPN performance for a large user base. Additional SSL VPN features are available including tunnel mode, virtual desktop for enhanced endpoint protection, and endpoint security checks. These features are supported for SSL VPN clients that can be downloaded automatically by SSL VPN users after logging into the SSL VPN portal. Users can also download Fortinet SSL VPN clients to access these additional SSL VPN features without logging into and SSL VPN portal. Fortinet supports SSL VPN clients for many PC and mobile platforms. This chapter includes the following SSL VPN examples: Setting up remote web browsing for internal sites through SSL VPN Using SSL VPN to provide protected Internet access for remote users SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
300
Setting up remote web browsing for internal sites through SSL VPN
Setting up remote web browsing for internal sites through SSL VPN
Problem
You want to provide remote users the ability to access corporate internal sites and specific companyrelated external sites.
rtiG
ate
Un
Solution
Using SSL VPN you can create a web portal, which, when the remote user connects they can view a list of links for internal servers and web sites. Creating a firewall address for the email server Create a firewall address for the email server.
1
To add the email server address, go to Firewall Objects > Address > Address, select Create New and enter the email server address: Address Name Type Subnet / IP Range Interface Email Server Subnet / IP Range 192.168.1.12 Internal
301
Setting up remote web browsing for internal sites through SSL VPN
Select OK.
Creating the web portal Create the SSL VPN portal and a bookmark for the email server that the user connects to after logging in.
1 2
Go to VPN > SSL > Config and for IP Pools select Edit and add twhite to the Selected table. Go to VPN > SSL > Portal and select Create New to create the portal: Name Applications Portal Message Internal_company_sites_portal HTTP/HTTPS Internal Company sites
3 4
Select OK to close the Edit Settings window. On the default web portal delete the Bookmarks widget by selecting its Remove icon (looks like an X). On the Add Widget on the right of the default portal select Bookmarks. In the new Bookmarks widget select the Edit icon (looks like a pencil). Optionally edit the Name and make sure Applications is set to HTTP/HTTPS. Select OK in the Bookmarks widget. In the Bookmarks widget select Add and create a bookmark to link the email server web page: Name Type Location Description Email HTTP/HTTPS https://mail.company.com Corporate email system
5 6 7 8 9
10 Select OK at the bottom of the Bookmarks widget. 11 Select Apply at the top of web portal page to save the web portal configuration.
Adding and working with web portal widgets can be confusing and produce unexpected results. Always select Apply at the top of the web portal page after making a change. When you have completed making changes, navigate to another web-based manager page and then navigate back to the web portal to make sure your changes were saved.
302
Setting up remote web browsing for internal sites through SSL VPN
Creating an SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
1
Go to User > User > User and select Create New to add the user: User Name Password twhite password
2
.
Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Sales Firewall Internal_company_sites_portal
Make sure you select the Allow SSL-VPN Access option and that you also select the SSL VPN web portal that the members of this user group connect to. If not selected, the Sales user group will not appear in the group list when configuring the SSL VPN authentication security policy.
3 4
Creating an SSL VPN security policy Create an SSL VPN security policy with SSL VPN user authentication.
1
Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all internal Email SSL-VPN
303
Setting up remote web browsing for internal sites through SSL VPN
Select Configure SSL-VPN Users and select Add to add an authentication rule for remote SSL VPN users: Selected User Groups Selected Services Schedule Sales HTTP HTTPS always
If the Sales user group does not appear in the User Group list, ensure you selected the SSL PVN Access option when creating the user group. If that option is not selected, the Sales user group will not appear in the group list when configuring the authentication security policy.
3
Select OK.
Results
To verify the setup works:
1 2
From the Internet, browse to https://172.20.120.136:10443/remote/login. Login to the web portal: Name Password twhite password
304
Setting up remote web browsing for internal sites through SSL VPN
The portal launches a new window that displays the email server website.
4
From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN.
From the FortiGate web-based manager, go to Policy > Monitor > Session Monitor to view the session information for the SSL connection. Because of the internal nature of the SSL connection, the source address appears as 0.0.0.0 and the destination is the internal home address of 224.0.0.1
You can also use the diagnose debug application sslvpn -1 command to debug this configuration as described in Debugging FortiGate configurations on page 139.
305
Using SSL VPN to provide protected Internet access for remote users
Using SSL VPN to provide protected Internet access for remote users
Problem
You want to provide remote users the ability to access the Internet while travelling, and ensure that they are not subjected to malware and other dangers by using the corporate firewall to filter all of their Internet traffic.
Un
it
Solution
Watch the video: http://docs.fortinet.com/cb/ssl1.html Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the web safely. Creating an SSL VPN IP pool and SSL VPN web portal
1
Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to the Selected table. Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access. Select the Edit pencil icon for the Tunnel Mode widget and enter the following: Name IP Mode IP Pools Browsing User Group SSLVPN_TUNNEL_ADDR1
2 3
306
Using SSL VPN to provide protected Internet access for remote users
Select OK.
Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
1
Go to User > User > User and select Create New to add the user: User Name Password twhite password
2 3
Select OK. Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Tunnel Firewall tunnel-access
Make sure you select the Allow SSL VPN Access option. If not selected, the Tunnel user group will not appear in the group list when configuring the authentication security policy.
4 5
Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.
1
Go to Router > Static > Static and select Create New to add the static route: Destination IP/Mask Device 10.212.134.0/255.255.255.0 ssl.root
The Destination IP/Mask matches the network address of the remote SSL VPN user.
Select OK.
307
Using SSL VPN to provide protected Internet access for remote users
Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from wan1 to SSLVPN Tunnel Interface to allow SSL VPN traffic to connect to the Internet.
1
Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all SSLVPN Tunnel Interface SSLVPN_TUNNEL_ADDR1 SSL-VPN
Under Configure SSL-VPN Users, select Add to add an authentication rule for the remote user: Selected User Groups Selected Services Schedule Tunnel ANY always
If the Tunnel user group does not appear in the User Group list, ensure you select the SSL VPN Access option when creating the user group. If that option is not selected, the Tunnel user group will not appear in the user group list when configuring the authentication security policy.
3 4
Select OK. Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action SSLVPN Tunnel Interface all wan1 all always ANY ACCEPT
5 6
308
Using SSL VPN to provide protected Internet access for remote users
Results
Using FortiClient SSLVPN application, log into the VPN using the address https://172.20.120.136:10443/ and log in as twhite. Once connected, you can browse the Internet. From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.
From the FortiGate web-based manager, go to Policy > Monitor > Policy Monitor to view the policy information for the SSL connection. For any web traffic, the source interface becomes ssl.root.
Go to Log&Report > Log & Archive Access > Traffic Log to view the log information, and the logs will also show the source interface for outbound traffic from the SSL connection through the ssl.root interface.
309
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Problem
You want remote users to be able to securely access head office internal network servers and browse the Internet through the head office firewall.
ot e 10 Us U SS .2 er se L V 12 Lo r P N .1 g 34 in .2 00
17
em
2.
20 .1 w 20 an .1 1 36 ce it of Un d te ea a H tiG r Fo ea d 19 Se Of 2. rv c 16 er e 8. 1. 1 H
Solution
This solution describes how to configure FortiGate SSL VPN split tunnelling using the FortiClient SSL VPN software, available from the Fortinet Support site. Using split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the users PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user. Creating a firewall address for the head office server
1
Go to Firewall Objects > Address > Address and select Create New and add the head office server address: Address Name Type Subnet / IP Range Interface Head office server Subnet / IP Range 192.168.1.12 Internal
2
310
Select OK.
FortiGate Cookbook http://docs.fortinet.com/
ss br l.ro ow o si t ng
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to the Selected table. Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access. Select the Edit pencil icon for the Tunnel Mode widget and enter the following: Name IP Mode IP Pools Split Tunneling Connect to head office server User Group SSLVPN_TUNNEL_ADDR1 Enable
2 3
Select OK.
Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
1
Go to User > User > User, select Create New and add the user: User Name Password twhite password
2 3
Select OK. Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Tunnel Firewall tunnel-access
Make sure you select the Allow SSL-VPN Access option. If not selected, the Tunnel user group will not appear in the group list when configuring the authentication security policy.
4 5
311
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.
1
Go to Router > Static > Static and select Create New to add the static route: Destination IP/Mask Device 10.212.134.0/255.255.255.0 ssl.root
The Destination IP/Mask matches the network address of the remote SSL VPN user.
Select OK.
Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.
1
Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all internal Head office server SSL-VPN
Select Configure SSL-VPN Users and select Add to add an authentication rule for the remote user: Selected User Groups Selected Services Schedule Tunnel ANY always
If the Tunnel user group does not appear in the User Group list, ensure you select the SSL VPN Access option when creating the user group. If that option is not selected, the Tunnel user group will not appear in the user group list when configuring the authentication security policy.
312
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
3 4
Select OK. Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action ssl.root all wan1 all always ANY ACCEPT
Select OK.
Results
Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:10443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet. From the web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.
From the web-based manager, go to Policy > Monitor > Session Monitor to view the session information for the SSL connection. For any web traffic, the source interface becomes ssl.root.
313
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Go to Log&Report > Log & Archive Access > Traffic Log to view the log information, and the logs will also show the source interface for outbound traffic from the SSL connection through the ssl.root interface.
314
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
Problem
Before a remote SSL VPN user logs into the network, you want to be sure that they have approved antivirus software installed on their computers. Only clients that meet the requirements are permitted to log on.
Fo
rtiG
ate
Un
it
Re VP mote Nu S ser SL
Solution
Use SSL VPN host checking. When the remote client attempts to log in to the VPN network, the FortiGate unit uses the host check information to verify that the approved antivirus software is installed on the client computer.
1 2
Go to VPN > SSL > Portal, Edit a portal and select Settings. Select Security Control and select the following: Host Check Custom Select the names of one or more antivirus software packages from the FortiGate AV software database. You can select multiple options.
Policy
If your company does not require a standard AV software on remote computers, you can set Custom to AV option, in which case, the FortiGate unit will check for any AV software from its SSL VPN antivirus software database.
315
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
Results
When a remote user connects to the SSL VPN tunnel, the FortiGate unit verifies that the approved antivirus software is installed on the remote users device. If it is, the user can log in. If the approved antivirus software is not installed, the remote user sees the following error message:
From the FortiGate web-based manager go to Log&Report > Event Log to see the tunnel message in the Action column.
Select the log entry to view the detailed information, which indicates the user attempting to connect. The Reason row indicates that the host check failed.
To make sure that SSL logs appear in the event log, go to Log&Report > Log Config > Log Setting. Enable Event Logging and select SSL VPN user authentication event and SSL VPN session event.
316