Inhaltszusammenfassung zur Seite Nr. 1
USER GUIDE
FortiOS v3.0 MR7
SSL VPN User Guide
www.fortinet.com
Inhaltszusammenfassung zur Seite Nr. 2
FortiGate v3.0 MR7 SSL VPN User Guide 18 July 2008 01-30007-0348-20080718 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, FortiASIC, FortiAnalyzer, FortiBIOS, FortiBridge, FortiClient, F
Inhaltszusammenfassung zur Seite Nr. 3
Contents Contents Introduction ........................................................................................ 7 About FortiGate SSL VPN................................................................................. 7 About this document......................................................................................... 8 Document conventions.................................................................................. 8 Typographic conventions...............................
Inhaltszusammenfassung zur Seite Nr. 4
Contents Configuring SSL VPN settings....................................................................... 36 Enabling SSL VPN connections and editing SSL VPN settings ................ 36 Specifying a port number for web portal connections ................................ 38 Specifying an IP address range for tunnel-mode clients ............................ 38 Enabling strong authentication through security certificates ...................... 39 Specifying the cipher suite for SSL negotiations
Inhaltszusammenfassung zur Seite Nr. 5
Contents Tunnel-mode features .................................................................................... 80 Working with the ActiveX/Java Platform plug-in ......................................... 81 Uninstalling the ActiveX/Java Platform plugin ............................................ 83 Logging out ..................................................................................................... 83 Index.........................................................................
Inhaltszusammenfassung zur Seite Nr. 6
Contents FortiOS v3.0 MR7 SSL VPN User Guide 6 01-30007-0348-20080718
Inhaltszusammenfassung zur Seite Nr. 7
Introduction About FortiGate SSL VPN Introduction This section introduces you to FortiGate™ Secure Sockets Layer (SSL) VPN technology and provides supplementary information about Fortinet™ publications. The following topics are included in this section: • About FortiGate SSL VPN • About this document • FortiGate documentation • Related documentation • Customer service and technical support About FortiGate SSL VPN FortiGate SSL VPN technology makes it safe to do business over the Internet. In
Inhaltszusammenfassung zur Seite Nr. 8
About this document Introduction Whether to use web-only or tunnel mode depends on the number and type of applications installed on the remote computer. Access to any application not supported through web-only mode can be supported through tunnel mode. For more information about these modes of operation, see “Configuring a FortiGate SSL VPN” on page 13. About this document This document explains how to configure SSL VPN operation using the web- based manager and contains the following chapte
Inhaltszusammenfassung zur Seite Nr. 9
Introduction FortiGate documentation Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Name field, type admin. Code examples config sys global set ips-open enable end CLI command syntax config firewall policy edit id_integer set http_retry_count set natip end FortiGate SSL VPN User Guide Document names File content Firewall Authentication
Inhaltszusammenfassung zur Seite Nr. 10
Related documentation Introduction • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. • FortiGate High Availability User Guide Contains in-depth information abou
Inhaltszusammenfassung zur Seite Nr. 11
Introduction Related documentation FortiClient documentation • FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies. • FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software. FortiMail documentation • F
Inhaltszusammenfassung zur Seite Nr. 12
Customer service and technical support Introduction Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site a
Inhaltszusammenfassung zur Seite Nr. 13
Configuring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN This section provides a comparison of SSL and IPSec VPN technology, in addition to an overview of the two modes of SSL VPN operation. The high-level steps for configuring each mode are also included with cross-references to underlying procedures. The following topics are included in this section: • Comparison of SSL and IPSec VPN technology • SSL VPN modes of operation • Topology • Confi
Inhaltszusammenfassung zur Seite Nr. 14
Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN Legacy versus web-enabled applications IPSec is well suited to network-based legacy applications that are not web-based. As a layer 3 technology, IPSec creates a secure tunnel between two host devices. IP packets are encapsulated by the VPN client and server software running on the hosts. SSL is typically used for secure web transactions in order to take advantage of web-enabled IP applications. After a secure HTTP li
Inhaltszusammenfassung zur Seite Nr. 15
Configuring a FortiGate SSL VPN SSL VPN modes of operation SSL VPNs provide secure access to certain applications. Web-only mode provides remote users with access to server applications from any thin client computer equipped with a web browser. Tunnel-mode provides remote users with the ability to connect to the internal network from laptop computers as well as airport kiosks, Internet cafes, and hotels. Access to SSL VPN applications is controlled through user groups. Session failover supp
Inhaltszusammenfassung zur Seite Nr. 16
SSL VPN modes of operation Configuring a FortiGate SSL VPN In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit. Configuring the FortiGate unit involves selecting web-only-mode access in the user group settings and enabling the feature
Inhaltszusammenfassung zur Seite Nr. 17
Configuring a FortiGate SSL VPN Topology When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit. Configuring the FortiGate uni
Inhaltszusammenfassung zur Seite Nr. 18
Topology Configuring a FortiGate SSL VPN Figure 1: Example SSL VPN configuration Subnet_1 172.16.10.0/24 Remote client Internet HTTP/HTTPS 172.16.10.2 wan1 Telnet FortiGate_1 172.16.10.3 dmz 172.16.10.1 internal 192.168.22.1 FTP 172.16.10.4 SMB/CIFS 172.16.10.5 Subnet_2 192.168.22.0/24 To provide remote clients with access to all of the servers on Subnet_1 from the Internet, you would configure FortiGate_1 as follows: • Create an SSL VPN user group and include the remote users in the user grou
Inhaltszusammenfassung zur Seite Nr. 19
Configuring a FortiGate SSL VPN Configuration overview Configuration overview Before you begin, install your choice of HTTP/HTTPS, telnet, SSH, FTP, SMB/CIFS, VNC, and/or RDP server applications on the internal network. As an alternative, these services may be accessed remotely through the Internet. All services must be running. Users must have individual user accounts to access the servers (these user accounts are not related to FortiGate user accounts or FortiGate user groups). To configu
Inhaltszusammenfassung zur Seite Nr. 20
Configuring the SSL VPN client Configuring a FortiGate SSL VPN SSL VPN Virtual Desktop application. The virtual desktop application creates a virtual desktop on a user's PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the ssl vpn web portal. The browser file/directory operation is redirect