Scribd Logo
Upload

Welcome to Scribd!

  • SSL VPN Quickstart Guide

    Uploaded by

    ichung819
    70 views13 pages

    Original Title

    SSL_VPN_Quickstart_Guide

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    70 views13 pages

    SSL VPN Quickstart Guide

    Uploaded by

    ichung819

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    EMEA

    Fortinet Technical Note

    Fortinet SSL VPN Quickstart Guide


    July 2008

    Object: Fortinet SSL VPN Quickstart Guide

    Technical Contact : Fortinet Customer Support

    Date : July, 3rd 2008

    Reference : Fortinet Technical Note – Fortinet Technical Note – 030708 – v1.0

    Version : 1.0

    Fortinet SSL VPN Quickstart Guide Page 1/13


    EMEA

    Table of Content
    INTRODUCTION................................................................................................................................................... 3
    PURPOSE OF THIS DOCUMENT................................................................................................................................. 3
    PRE-REQUISITES..................................................................................................................................................... 3
    EXAMPLE NETWORK.............................................................................................................................................. 3
    CONFIGURING THE SSL WEB PORTAL ........................................................................................................ 4
    ENABLE THE SSL VPN.......................................................................................................................................... 4
    CREATE A USER...................................................................................................................................................... 4
    CREATE AN SSL VPN GROUP................................................................................................................................. 5
    CREATE AN SSL FIREWALL POLICY......................................................................................................................... 6
    FOR AN WEB PORTAL BASED SSL VPN ONLY, ONLY A SINGLE INBOUND RULE IS REQUIRED
    AS SHOWN ABOVE. ............................................................................................................................................. 7
    TEST THE WEB PORTAL.......................................................................................................................................... 7
    TEST THAT YOU CAN ACCESS RESOURCES ON THE PRIVATE NETWORK BY ENTERING THE
    IP OF A SYSTEM ON THE INTERNAL NETWORK IN THE TEST FOR REACHABILITY (PING)
    SECTION AND CLICK GO. A SUCCESSFUL RESPONSE IS SHOWN BELOW. ......................................8
    CONFIGURING THE SSL WEB PORTAL ........................................................................................................ 9
    ADD TUNNEL MODE VPN FIREWALL POLICIES...................................................................................................... 9
    ADD ADDITIONAL ROUTE TO THE SSL VPN IP ADDRESSES................................................................................. 11
    TEST THE SSL TUNNEL MODE CLIENT................................................................................................................. 11

    Fortinet SSL VPN Quickstart Guide Page 2/13


    EMEA

    1. Introduction
    1.1.Purpose of this document

    This document has been developed to describe the minimum steps needed to configure the FortiGate
    SSL VPN. It is meant to compliment the more extensive SSL VPN Guide and therefore does not cover
    aspects of the SSL VPN such as AD/LDAP Authentication Integration, creation of bookmarks etc. For
    these more advanced topics, please refer to the SSL VPN Guide available at http://docs.forticare.com/
    fgt.html.

    1.2.Pre-requisites

    It is assumed that the FortiGate on which the SSL VPN is being configured has been correctly
    configured with the relevant network addresses, default route and DNS settings. If this has not been
    done, please consult the FortiGate Administration Guide http://docs.forticare.com/fgt.html.

    1.3.Example Network

    The following simple test network has been used throughout the document.

    Fortinet SSL VPN Quickstart Guide Page 3/13


    EMEA

    Configuring the SSL Web Portal


    There are several steps involved to creating an SSL VPN connection and if any one is missed out, it
    will not function correctly. The steps are as follows and will be expanded on in the sections below:

    • Enable the SSL VPN


    • Create a user
    • Create an SSL VPN group
    • Create an SSL firewall policy

    1.4.Enable the SSL VPN

    Go to VPN > SSL > Config and select the Enable SSL-VPN radio box. There is no need to enter the
    tunnel IP range if you just want to user the web portal and not tunnel mode but to save time later, enter
    a range as below.

    The Tunnel IP Range does not need to be from a range already configured on the FortiGate. In the
    example shown, the internal IP range is 192.168.1.0/24 but the tunnel IP range is 192.168.99.0/24.
    This will be returned to in the tunnel mode configuration section.

    1.5.Create a user

    Go to User > Local. Select Crete New and enter the username and passwords. Alternatively, the
    username and password can be validated via one of the supported directory services (LDAP, AD,
    RADIUS, TACACS etc). For details of configuring these authentication mechanisms, see the SSL VPN
    Administration Guide. Take care not to click disable otherwise the user will not be able to log in.

    Fortinet SSL VPN Quickstart Guide Page 4/13


    EMEA

    The configured users can be viewed by going to User > Local.

    1.6.Create an SSL VPN group


    Go to User > User Group and enter a suitable name for the group, for example, SSL_VPN_Group.
    Note the use of underscores as spaces are not allowed.

    Change the type of group to SSL which changes the options at the bottom of the page. Click to
    highlight the users you want to be a member of the group and click on the right arrow to move them to
    the members box.

    Select to Enable SSL-VPN Tunnel Service.

    Select to Enable Web Applications and then select the applications you wish to enable. The remaining
    options can be left disabled until the SSL VPN has been tested.

    Fortinet SSL VPN Quickstart Guide Page 5/13


    EMEA

    1.7.Create an SSL firewall policy

    Once all of the other configurations have been made, the final change is to create a rule that will
    trigger the SSL VPN.

    Select the source to be the interface the users will be accessing the SSL from, for example, the
    internet connection. In this case it is WAN1. The example above does not restrict the IP range the
    users can connect from allowing them to connect from anywhere on the internet.

    The Destination address can be limited to allow users to only access selected systems on the internal
    network. For the purposes of this example, the IP range that can be accessed has not been limited (it
    has been set to “Any”).

    Fortinet SSL VPN Quickstart Guide Page 6/13


    EMEA

    For an web portal based SSL VPN only, only a single inbound rule is required as shown above.

    1.8.Test the Web Portal


    Because the FortiGate unit is managed via HTTPS on port 443, by default, the SSL VPN is configured
    to be accessed on port 10443. See the SSL VPN Guide on options for changing this port to a more
    user friendly setting.

    Browse to the IP address of the FortiGate unit, specifying port 10443 e.g. https://82.xxx.xxx.146:10443

    Enter the user name and password previously configured. Note that the administrator password will
    not work here.

    Fortinet SSL VPN Quickstart Guide Page 7/13


    EMEA

    Test that you can access resources on the private network by entering the IP of a system on the
    internal network in the Test for Reachability (Ping) section and click Go. A successful response is
    shown below.

    Fortinet SSL VPN Quickstart Guide Page 8/13


    EMEA

    2. Configuring the SSL Web Portal


    Once the web portal is working, it needs a few extra changes to get the Tunnel Mode VPN working
    correctly. The changes are:

    • Add Tunnel Mode VPN firewall policies


    • Add additional route to the SSL VPN IP Addresses

    2.1. Add Tunnel Mode VPN firewall policies

    MR6 has introduced a new feature of a virtual interface for the SSL traffic. This has been introduced to
    allow additional flexibility including allowing SSL traffic to be routed back out through other VPNs and
    to the internet.

    To enable tunnel mode, firewall policies must be created between the virtual SSL network and the
    internal network. In the root VDOM, the virtual SSL network is called ssl.root.

    Create a firewall rule between the Internal interface and the ssl.root interface. The policy can be tied
    down to restrict the source range to specific IP addresses on the internal network.

    Create a firewall rule between the ssl.root interface and the Internal interface. The policy can be tied
    down to restrict the source range to specific IP addresses on the internal network.

    Fortinet SSL VPN Quickstart Guide Page 9/13


    EMEA

    The firewall policies required for a portal and tunnel mode VPN should look like those below.

    Fortinet SSL VPN Quickstart Guide Page 10/13


    EMEA

    2.2. Add additional route to the SSL VPN IP Addresses


    In section 2.1, the tunnel IP range was configured to a range not configured on a directly connected
    interface. To tell the FortiGate unit where this IP range is located, a static route must be created.

    Go to Router > Static, create a new route for the configured tunnel IP range, setting the device as the
    ssl.root interface. The Distance can be set to 2 which is higher than the directly connected network
    and lower than the default route.

    2.3.Test the SSL Tunnel Mode Client


    Once successfully authenticated to the SSL Portal, select Activate SSL-VPN Tunnel Mode. On the first
    connection, an ActiveX plugin is installed into the browser (Firefox and Internet Explorer supported in
    MR6, Linux and Mac OSX supported as of MR7) and will set up the SSL tunnel to the remote network.

    Fortinet SSL VPN Quickstart Guide Page 11/13


    EMEA

    On Windows, installation of administrator rights are required to install/update the plugin, however it
    works under normal user privilege after the installation.

    Once the SSL VPN Link Status changes to up, an IP address from the tunnel address range will be
    applied to the connecting system and the internal systems should be accessible (dependent on the
    firewall policies).

    Fortinet SSL VPN Quickstart Guide Page 12/13


    EMEA

    Appendix A – Debugging SSL VPN Issues


    To enable debugging on the SSL VPN, the following commands can be used on the CLI.

    diag debug application sslvpn 255


    diag debug enable

    Fortinet SSL VPN Quickstart Guide Page 13/13

    You might also like