Fortinet FORTIOS V3.0 MR7 manual Web-only mode client requirements, Tunnel mode

Page 16

SSL VPN modes of operation

Configuring a FortiGate SSL VPN

In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.

Configuring the FortiGate unit involves selecting web-only-mode access in the user group settings and enabling the feature through SSL VPN configuration settings. The user group settings determine which server applications can be accessed. SSL encryption is used to ensure traffic confidentiality.

Web-only mode client requirements

The remote client computer must be equipped with the following software:

Microsoft Windows 2000/XP/2003/Vista, Linux, MacOS X, or UNIX operating system

Microsoft Internet Explorer 6.0 (or later), Netscape Navigator 7.0 (or later), Mozilla Foundation/Firefox 1.5 (or later), or Apple Safari 1.3 (or later)

If Telnet/ or RDP are used, Sun Java runtime environment 1.4 (or later), with Java applet access, JavaScript access, and enabled cookie acceptance

Note: Web browsers offer different SSL security capabilities. The FortiGate unit offers an SSL version 2 option through the CLI if required to support older browsers. In addition, the FortiGate unit supports a range of cipher suites for negotiating SSL communications with a variety of web browsers. The web browser must at least support a 64-bit cipher length.

Tunnel mode

Tunnel mode offers remote users the freedom to connect to the internal network using the traditional means of web-based access from laptop computers, as well as from airport kiosks, hotel business centers, and Internet cafés. If the applications on the client computers used by your user community vary greatly, you can deploy a dedicated SSL VPN client to any remote client through its web browser. The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the web browser and the FortiGate unit. Also available is split tunneling, which ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves bandwith and alleviates bottlenecks.

In tunnel mode, remote clients connect to FortiGate unit and the web portal login page using Microsoft Internet Explorer, Mozilla Foundation/Firefox, MacOS, or Linux. The FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page. The user can then download the SSL VPN client (an ActiveX or Java plugin) and install it using controls provided through the web portal. SSL VPN tunnel mode can also be initiated from a standalone application on Windows/MacOS, and Unix.

 

FortiOS v3.0 MR7 SSL VPN User Guide

16

01-30007-0348-20080718

Page 15 Page 17
Image 16
Page 15 Page 17
Contents E R G U I D E FortiGate v3.0 MR7 SSL VPN User Guide TrademarksContents Configuring SSL VPN settings Working with the web portalSSL VPN host OS patch check Starting a session from the Tools areaIndex Tunnel-mode featuresLogging out Page Introduction About FortiGate SSL VPNAbout this document Document conventionsFortiGate documentation Typographic conventionsRelated documentation FortiManager documentationFortiClient documentation FortiMail documentationFortiAnalyzer documentation Fortinet Tools and Documentation CDCustomer service and technical support Comments on Fortinet technical documentationConfiguring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technologyLegacy versus web-enabled applications Authentication differencesAccess control Connectivity considerationsSSL VPN modes of operation Web-only modeSession failover support Web-only mode client requirements Tunnel modeTopology Tunnel-mode client requirementsExample SSL VPN configuration Infrastructure requirementsConfiguration overview Configuring the SSL VPN clientSSL VPN Virtual Desktop application Using the SSL VPN Virtual DesktopTo download and run the SSL VPN Virtual Desktop application Configuring the SSL VPN client To download the SSL VPN Virtual Desktop, select To connect to a web server from the Tools area Using the SSL VPN standalone tunnel clientsTo ping a host or server behind the FortiGate unit To download the SSL VPN standalone tunnel client Windows Firmware Images selection on Fortinet customer support siteFortiClientSSLVPNSetup3.0.384.exe or Password Save user name and password , and Keep connection aliveServer Address UsernameTo download the SSL VPN standalone tunnel client Linux Configuring the SSL VPN client Configuring a FortiGate SSL VPN User Enter your user name Password Advanced settingsTo use the SSL VPN standalone tunnel client Linux ServerTo download the SSL VPN standalone tunnel client MacOS To uninstall the SSL VPN standalone tunnel client LinuxUse Client File Path Configuring the SSL VPN client To uninstall the SSL VPN standalone tunnel client MacOS To use the SSL VPN standalone tunnel client MacOSConfiguring SSL VPN settings Enabling SSL VPN connections and editing SSL VPN settingsSee Specifying the cipher suite for SSL negotiations Specifying a port number for web portal connections Go to System Admin SettingsSpecifying an IP address range for tunnel-mode clients Setting the idle timeout setting Specifying the cipher suite for SSL negotiationsSetting the client authentication timeout setting Adding Wins and DNS services for clientsTo add a custom caption Go to VPN SSL Config Adding a custom caption to the web portal homeConfiguring user accounts and SSL VPN user groups Customizing the web portal loginTo create a user account in the Local domain DisableUser Name To create a user group Configuring user accounts and SSL VPN user groups Configuring firewall policies Configuring Web-only firewall policies Configuring firewall addressesTo specify the destination IP address To define the firewall policy for web-only mode connections Configuring tunnel-mode firewall policies To specify the source IP addressSubnet2 To define the firewall policy for tunnel-mode operationsUser Authentication Configuring SSL VPN event-loggingAvailable Groups To view SSL VPN event logs Go to Log&Report Log Access Monitoring active SSL VPN sessionsConfiguring SSL VPN bookmarks and bookmark groups Viewing the SSL VPN bookmark listDelete See alsoConfiguring SSL VPN bookmarks Create New BookmarkConfiguring SSL VPN bookmark groups Viewing the SSL VPN Bookmark Groups listAssigning SSL VPN bookmark groups to SSL VPN users Configuration Example SSL VPN host OS patch checkVariable DescriptionSSL VPN configuration for unique access permissions Enable SSL-VPN Settings Group1 user group attributes Source/destination firewall addresses Public IP To view the SSL VPN policies, go to Firewall Policy SSL VPN virtual interface ssl.root Firewall policy listInternet browsing policy Source Ssl.root Source address Peer network policy Source Ssl.root Source addressSSL VPN dropping connections SSL VPN dropping connections SSL VPN dropping connections Connecting to the FortiGate unit To log in to the FortiGate secure Http gatewayWeb portal home page features FortiGate SSL VPN Remote Access Web Portal Launching web portal applications URL re-writingAdding a bookmark to the My Bookmarks list Add BookmarkBookmark DetailsTitle Host Name/IP, or Shared File FolderTo add a telnet connection and start a telnet session 10.10.10.10To add an FTP connection and start an FTP session To add a SMB/CIFS connection and start a SMB session Launching web portal applications To add a VNC connection and start a VNC session To add a RDP connection and start a RDP session Working with the web portal To add a SSH connection and start a SSH session 192.168.1.3See also Starting a session from the Tools area Tunnel-mode featuresTo start a telnet session from the Tools area Working with the ActiveX/Java Platform plug-in To download and install the ActiveX/Java Platform plugin To initiate a VPN tunnel with the FortiGate unitTo uninstall the ActiveX/Java Platform plugin Uninstalling the ActiveX/Java Platform pluginLogging out Logging out Index URL Index Page

FORTIOS V3.0 MR7 specifications

Fortinet's FortiOS v3.0 MR7 marks a significant advancement in network security and management, providing organizations with enhanced features, technologies, and characteristics to better protect their IT environments. This version of FortiOS is designed to facilitate comprehensive security and optimized performance, ensuring that organizations can safeguard their networks against evolving threats.

One of the main features in FortiOS v3.0 MR7 is its robust firewall capabilities. The stateful firewall technology enables dynamic packet filtering based on predefined security policies. This strengthens the organization's perimeter defense by allowing or denying traffic based on user-defined rules. Additionally, the integrated Application Control feature extends the firewall's capabilities by identifying and controlling applications regardless of port usage, enabling organizations to enforce security policies on a finer-grained level.

FortiOS v3.0 MR7 also introduces advanced intrusion prevention system (IPS) functionalities. The next-generation IPS utilizes deep packet inspection and real-time threat intelligence to detect and block attacks before they can compromise the network. Coupled with Fortinet’s threat research team, which ensures timely updates of security signatures, this system helps organizations mitigate risks posed by sophisticated cyber threats.

Another key characteristic of FortiOS v3.0 MR7 is its enhanced VPN capabilities. The support for both SSL and IPsec VPN allows secure remote access for employees and offers flexible options for secure communication over the internet. This feature is essential for organizations that embrace remote work, ensuring that sensitive data remains protected regardless of the user's location.

In addition to its powerful security features, FortiOS v3.0 MR7 includes advanced reporting and logging capabilities. Users can generate detailed reports that highlight security events, traffic patterns, and performance metrics. This data not only improves visibility into network security but also assists in compliance with regulatory requirements.

Moreover, the platform's user-friendly interface enhances the overall management experience. Administrators can quickly configure settings, monitor activity, and respond to incidents effectively. With centralized management capabilities, FortiOS v3.0 MR7 allows organizations to manage multiple devices from a single console, simplifying operations and reducing administrative overhead.

In summary, Fortinet's FortiOS v3.0 MR7 integrates a wealth of security features, including a stateful firewall, advanced IPS, VPN support, and comprehensive reporting functions. Together, these technologies ensure that organizations can maintain a strong security posture in an increasingly complex threat landscape.
Top Page Image Contents