Resumen del contenido incluido en la página 1
USER GUIDE
FortiOS v3.0 MR7
SSL VPN User Guide
www.fortinet.com
Resumen del contenido incluido en la página 2
FortiGate v3.0 MR7 SSL VPN User Guide 18 July 2008 01-30007-0348-20080718 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, FortiASIC, FortiAnalyzer, FortiBIOS, FortiBridge, FortiClient, F
Resumen del contenido incluido en la página 3
Contents Contents Introduction ........................................................................................ 7 About FortiGate SSL VPN................................................................................. 7 About this document......................................................................................... 8 Document conventions.................................................................................. 8 Typographic conventions...............................
Resumen del contenido incluido en la página 4
Contents Configuring SSL VPN settings....................................................................... 36 Enabling SSL VPN connections and editing SSL VPN settings ................ 36 Specifying a port number for web portal connections ................................ 38 Specifying an IP address range for tunnel-mode clients ............................ 38 Enabling strong authentication through security certificates ...................... 39 Specifying the cipher suite for SSL negotiations
Resumen del contenido incluido en la página 5
Contents Tunnel-mode features .................................................................................... 80 Working with the ActiveX/Java Platform plug-in ......................................... 81 Uninstalling the ActiveX/Java Platform plugin ............................................ 83 Logging out ..................................................................................................... 83 Index.........................................................................
Resumen del contenido incluido en la página 6
Contents FortiOS v3.0 MR7 SSL VPN User Guide 6 01-30007-0348-20080718
Resumen del contenido incluido en la página 7
Introduction About FortiGate SSL VPN Introduction This section introduces you to FortiGate™ Secure Sockets Layer (SSL) VPN technology and provides supplementary information about Fortinet™ publications. The following topics are included in this section: • About FortiGate SSL VPN • About this document • FortiGate documentation • Related documentation • Customer service and technical support About FortiGate SSL VPN FortiGate SSL VPN technology makes it safe to do business over the Internet. In
Resumen del contenido incluido en la página 8
About this document Introduction Whether to use web-only or tunnel mode depends on the number and type of applications installed on the remote computer. Access to any application not supported through web-only mode can be supported through tunnel mode. For more information about these modes of operation, see “Configuring a FortiGate SSL VPN” on page 13. About this document This document explains how to configure SSL VPN operation using the web- based manager and contains the following chapte
Resumen del contenido incluido en la página 9
Introduction FortiGate documentation Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Name field, type admin. Code examples config sys global set ips-open enable end CLI command syntax config firewall policy edit id_integer set http_retry_count set natip end FortiGate SSL VPN User Guide Document names File content Firewall Authentication
Resumen del contenido incluido en la página 10
Related documentation Introduction • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. • FortiGate High Availability User Guide Contains in-depth information abou
Resumen del contenido incluido en la página 11
Introduction Related documentation FortiClient documentation • FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies. • FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software. FortiMail documentation • F
Resumen del contenido incluido en la página 12
Customer service and technical support Introduction Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site a
Resumen del contenido incluido en la página 13
Configuring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN This section provides a comparison of SSL and IPSec VPN technology, in addition to an overview of the two modes of SSL VPN operation. The high-level steps for configuring each mode are also included with cross-references to underlying procedures. The following topics are included in this section: • Comparison of SSL and IPSec VPN technology • SSL VPN modes of operation • Topology • Confi
Resumen del contenido incluido en la página 14
Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN Legacy versus web-enabled applications IPSec is well suited to network-based legacy applications that are not web-based. As a layer 3 technology, IPSec creates a secure tunnel between two host devices. IP packets are encapsulated by the VPN client and server software running on the hosts. SSL is typically used for secure web transactions in order to take advantage of web-enabled IP applications. After a secure HTTP li
Resumen del contenido incluido en la página 15
Configuring a FortiGate SSL VPN SSL VPN modes of operation SSL VPNs provide secure access to certain applications. Web-only mode provides remote users with access to server applications from any thin client computer equipped with a web browser. Tunnel-mode provides remote users with the ability to connect to the internal network from laptop computers as well as airport kiosks, Internet cafes, and hotels. Access to SSL VPN applications is controlled through user groups. Session failover supp
Resumen del contenido incluido en la página 16
SSL VPN modes of operation Configuring a FortiGate SSL VPN In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit. Configuring the FortiGate unit involves selecting web-only-mode access in the user group settings and enabling the feature
Resumen del contenido incluido en la página 17
Configuring a FortiGate SSL VPN Topology When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit. Configuring the FortiGate uni
Resumen del contenido incluido en la página 18
Topology Configuring a FortiGate SSL VPN Figure 1: Example SSL VPN configuration Subnet_1 172.16.10.0/24 Remote client Internet HTTP/HTTPS 172.16.10.2 wan1 Telnet FortiGate_1 172.16.10.3 dmz 172.16.10.1 internal 192.168.22.1 FTP 172.16.10.4 SMB/CIFS 172.16.10.5 Subnet_2 192.168.22.0/24 To provide remote clients with access to all of the servers on Subnet_1 from the Internet, you would configure FortiGate_1 as follows: • Create an SSL VPN user group and include the remote users in the user grou
Resumen del contenido incluido en la página 19
Configuring a FortiGate SSL VPN Configuration overview Configuration overview Before you begin, install your choice of HTTP/HTTPS, telnet, SSH, FTP, SMB/CIFS, VNC, and/or RDP server applications on the internal network. As an alternative, these services may be accessed remotely through the Internet. All services must be running. Users must have individual user accounts to access the servers (these user accounts are not related to FortiGate user accounts or FortiGate user groups). To configu
Resumen del contenido incluido en la página 20
Configuring the SSL VPN client Configuring a FortiGate SSL VPN SSL VPN Virtual Desktop application. The virtual desktop application creates a virtual desktop on a user's PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the ssl vpn web portal. The browser file/directory operation is redirect