Fortinet FORTIOS V3.0 MR7 manual Configuring tunnel-mode firewall policies

Page 46

Configuring firewall policies

Configuring a FortiGate SSL VPN

Configuring tunnel-mode firewall policies

Follow the procedures in this section to complete a tunnel-mode configuration. These procedures assume that you have already completed the procedures found in “Configuring user accounts and SSL VPN user groups” on page 42.

When a remote client initiates a connection to the FortiGate unit, the FortiGate unit authenticates the client and determines which mode of operation is in effect for the user. When tunnel mode is enabled, the user can access the server applications and network services on the internal network if required and/or download and install an ActiveX plugin from the web portal. The ActiveX control provides SSL VPN client software.

Note: On the web browser, ensure that the security settings associated with the Internet zone permit ActiveX controls to be downloaded and run.

After the user adds the ActiveX plugin to the web browser on the remote client, the user can start the SSL VPN client software to initiate an SSL VPN tunnel with the FortiGate unit. The FortiGate unit establishes the tunnel with the SSL client and assigns the client a virtual IP address. Afterward, the SSL client uses the assigned virtual IP address as its source address for the duration of the session.

To configure the FortiGate unit to support tunnel-mode access, you perform the following configuration tasks on the FortiGate unit:

Specify the IP address(es) that can be assigned to the SSL VPN client when they establish tunnels with the FortiGate unit.

Define a firewall policy to support tunnel-mode operations.

A firewall policy specifies the originating (source) IP address of a packet and the destination address defines the IP address of the intended recipient or network. In this case, the source address corresponds to the IP address of the remote user that will connect to the FortiGate unit, and the destination address corresponds to the IP address(es) of the host(s), server(s), or network behind the FortiGate unit.

Configuring the firewall policy involves:

specifying the source and destination IP addresses:

The source address corresponds to the IP address of the remote user.

The destination address corresponds to the IP address or addresses that remote clients need to access. The destination address may correspond to an entire private network, a range of private IP addresses, or the private IP address of a server or host.

specifying the level of SSL encryption to use and the authentication method

binding the user group to the firewall policy

Note: If your destination address, SSL encryption, and user group are the same as for your web-only mode connection, you do not need to create a firewall policy for tunnel mode. The FortiGate unit uses the web-only mode policy settings except for the source address range, which it obtains from the tunnel IP range settings.

To specify the source IP address

1Go to Firewall > Address and select Create New.

2In the Address Name field, type a name that represents the IP address that is permitted to set up SSL VPN connection.

 

FortiOS v3.0 MR7 SSL VPN User Guide

46

01-30007-0348-20080718

Page 45 Page 47
Image 46
Page 45 Page 47
Contents E R G U I D E FortiGate v3.0 MR7 SSL VPN User Guide TrademarksContents SSL VPN host OS patch check Configuring SSL VPN settingsWorking with the web portal Starting a session from the Tools areaIndex Tunnel-mode featuresLogging out Page Introduction About FortiGate SSL VPNAbout this document Document conventionsFortiGate documentation Typographic conventionsRelated documentation FortiManager documentationFortiAnalyzer documentation FortiClient documentationFortiMail documentation Fortinet Tools and Documentation CDCustomer service and technical support Comments on Fortinet technical documentationConfiguring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technologyAccess control Legacy versus web-enabled applicationsAuthentication differences Connectivity considerationsSSL VPN modes of operation Web-only modeSession failover support Web-only mode client requirements Tunnel modeTopology Tunnel-mode client requirementsExample SSL VPN configuration Infrastructure requirementsConfiguration overview Configuring the SSL VPN clientSSL VPN Virtual Desktop application Using the SSL VPN Virtual DesktopTo download and run the SSL VPN Virtual Desktop application Configuring the SSL VPN client To download the SSL VPN Virtual Desktop, select To connect to a web server from the Tools area Using the SSL VPN standalone tunnel clientsTo ping a host or server behind the FortiGate unit To download the SSL VPN standalone tunnel client Windows Firmware Images selection on Fortinet customer support siteFortiClientSSLVPNSetup3.0.384.exe or Server Address PasswordSave user name and password , and Keep connection alive UsernameTo download the SSL VPN standalone tunnel client Linux Configuring the SSL VPN client Configuring a FortiGate SSL VPN To use the SSL VPN standalone tunnel client Linux User Enter your user name PasswordAdvanced settings ServerTo download the SSL VPN standalone tunnel client MacOS To uninstall the SSL VPN standalone tunnel client LinuxUse Client File Path Configuring the SSL VPN client To uninstall the SSL VPN standalone tunnel client MacOS To use the SSL VPN standalone tunnel client MacOSConfiguring SSL VPN settings Enabling SSL VPN connections and editing SSL VPN settingsSee Specifying the cipher suite for SSL negotiations Specifying a port number for web portal connections Go to System Admin SettingsSpecifying an IP address range for tunnel-mode clients Setting the idle timeout setting Specifying the cipher suite for SSL negotiationsTo add a custom caption Go to VPN SSL Config Setting the client authentication timeout settingAdding Wins and DNS services for clients Adding a custom caption to the web portal homeConfiguring user accounts and SSL VPN user groups Customizing the web portal loginTo create a user account in the Local domain DisableUser Name To create a user group Configuring user accounts and SSL VPN user groups Configuring firewall policies Configuring Web-only firewall policies Configuring firewall addressesTo specify the destination IP address To define the firewall policy for web-only mode connections Configuring tunnel-mode firewall policies To specify the source IP addressSubnet2 To define the firewall policy for tunnel-mode operationsUser Authentication Configuring SSL VPN event-loggingAvailable Groups To view SSL VPN event logs Go to Log&Report Log Access Monitoring active SSL VPN sessionsDelete Configuring SSL VPN bookmarks and bookmark groupsViewing the SSL VPN bookmark list See alsoConfiguring SSL VPN bookmarks Create New BookmarkConfiguring SSL VPN bookmark groups Viewing the SSL VPN Bookmark Groups listAssigning SSL VPN bookmark groups to SSL VPN users Variable Configuration ExampleSSL VPN host OS patch check DescriptionSSL VPN configuration for unique access permissions Enable SSL-VPN Settings Group1 user group attributes Source/destination firewall addresses Public IP To view the SSL VPN policies, go to Firewall Policy SSL VPN virtual interface ssl.root Firewall policy listInternet browsing policy Source Ssl.root Source address Peer network policy Source Ssl.root Source addressSSL VPN dropping connections SSL VPN dropping connections SSL VPN dropping connections Connecting to the FortiGate unit To log in to the FortiGate secure Http gatewayWeb portal home page features FortiGate SSL VPN Remote Access Web Portal Launching web portal applications URL re-writingBookmark Adding a bookmark to the My Bookmarks listAdd Bookmark DetailsTitle Host Name/IP, or Shared File FolderTo add a telnet connection and start a telnet session 10.10.10.10To add an FTP connection and start an FTP session To add a SMB/CIFS connection and start a SMB session Launching web portal applications To add a VNC connection and start a VNC session To add a RDP connection and start a RDP session Working with the web portal To add a SSH connection and start a SSH session 192.168.1.3See also Starting a session from the Tools area Tunnel-mode featuresTo start a telnet session from the Tools area Working with the ActiveX/Java Platform plug-in To download and install the ActiveX/Java Platform plugin To initiate a VPN tunnel with the FortiGate unitTo uninstall the ActiveX/Java Platform plugin Uninstalling the ActiveX/Java Platform pluginLogging out Logging out Index URL Index Page
Top Page Image Contents