Configuring firewall policies | Configuring a FortiGate SSL VPN |
Configuring tunnel-mode firewall policies
Follow the procedures in this section to complete a
When a remote client initiates a connection to the FortiGate unit, the FortiGate unit authenticates the client and determines which mode of operation is in effect for the user. When tunnel mode is enabled, the user can access the server applications and network services on the internal network if required and/or download and install an ActiveX plugin from the web portal. The ActiveX control provides SSL VPN client software.
Note: On the web browser, ensure that the security settings associated with the Internet zone permit ActiveX controls to be downloaded and run.
After the user adds the ActiveX plugin to the web browser on the remote client, the user can start the SSL VPN client software to initiate an SSL VPN tunnel with the FortiGate unit. The FortiGate unit establishes the tunnel with the SSL client and assigns the client a virtual IP address. Afterward, the SSL client uses the assigned virtual IP address as its source address for the duration of the session.
To configure the FortiGate unit to support
•Specify the IP address(es) that can be assigned to the SSL VPN client when they establish tunnels with the FortiGate unit.
•Define a firewall policy to support
A firewall policy specifies the originating (source) IP address of a packet and the destination address defines the IP address of the intended recipient or network. In this case, the source address corresponds to the IP address of the remote user that will connect to the FortiGate unit, and the destination address corresponds to the IP address(es) of the host(s), server(s), or network behind the FortiGate unit.
Configuring the firewall policy involves:
•specifying the source and destination IP addresses:
•The source address corresponds to the IP address of the remote user.
•The destination address corresponds to the IP address or addresses that remote clients need to access. The destination address may correspond to an entire private network, a range of private IP addresses, or the private IP address of a server or host.
•specifying the level of SSL encryption to use and the authentication method
•binding the user group to the firewall policy
Note: If your destination address, SSL encryption, and user group are the same as for your
To specify the source IP address
1Go to Firewall > Address and select Create New.
2In the Address Name field, type a name that represents the IP address that is permitted to set up SSL VPN connection.
| FortiOS v3.0 MR7 SSL VPN User Guide |
46 |