Fortinet FORTIOS V3.0 MR7 manual SSL VPN host OS patch check, Configuration Example, Variable

Page 54

SSL VPN host OS patch check

Configuring a FortiGate SSL VPN

SSL VPN host OS patch check

SSLVPN Client OS Patch Check feature allows a client with a specific OS patch to access SSL VPN services. The host check only works on Windows platforms. This means that MacOS/Linux users can always logon (assuming they have the correct user name and password) as the patch check is not applied to them. Options defined in the SSL VPN user group settings support this function (CLI only):

Variable

set sslvpn-os-check {disable enable}

config sslvpn-os-check- list {windows-2000 windows-xp}

set action {allow check-up-to-date deny}

set latest-patch-level {disable 0 - 255}

set tolerance {tolerance_num}

Description

Enable or disable SSL VPN OS patch level check. Default disable.

Configure the OS of the patch level check. Available when set sslvpn-os-checkis set to enable.

Specify how to perform the patch level check.

•allow - any level is permitted

•check-up-to-date - some patch levels are permitted, make selections for latest-patch-leveland tolerance

•deny - OS version does not permit access Available when set sslvpn-os-checkis set to check-up-to-date.

Specify the latest allowed patch level. Default 4 for Windows 2000, 2 for Windows XP.

Available when action is set to enable.

Specify the lowest allowable patch level tolerance. Equals latest-patch-levelminus tolerance and above. Default for Windows 2000 and Windows XP is 0.

Available when action is set to check-up-to-date.

Configuration Example

The following configuration allows a Windows 2000 user with patch level 2

(latest-patch-levelminus tolerance) and above permission to access SSL VPN services, as well as any Windows XP users.

config vpn ssl settings set sslvpn-enable enable set tunnel-endip 10.1.1.10 set tunnel-startip 10.1.1.1

end

config user group edit "g1"

set group-type sslvpn

set sslvpn-tunnel enable

set sslvpn-tunnel-startip 10.1.1.1 set sslvpn-tunnel-endip 10.1.1.10 set sslvpn-webapp enable

set sslvpn-os-check enable

config sslvpn-os-check-list "windows-2000" set action check-up-to-date

set latest-patch-level 3

	FortiOS v3.0 MR7 SSL VPN User Guide
54	01-30007-0348-20080718

Image 54

Contents E R G U I D E FortiGate v3.0 MR7 SSL VPN User Guide TrademarksContents SSL VPN host OS patch check Configuring SSL VPN settingsWorking with the web portal Starting a session from the Tools areaTunnel-mode features IndexLogging out Page Introduction About FortiGate SSL VPNAbout this document Document conventionsFortiGate documentation Typographic conventionsRelated documentation FortiManager documentationFortiAnalyzer documentation FortiClient documentationFortiMail documentation Fortinet Tools and Documentation CDCustomer service and technical support Comments on Fortinet technical documentationConfiguring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technologyAccess control Legacy versus web-enabled applicationsAuthentication differences Connectivity considerationsWeb-only mode SSL VPN modes of operationSession failover support Web-only mode client requirements Tunnel modeTopology Tunnel-mode client requirementsExample SSL VPN configuration Infrastructure requirementsConfiguration overview Configuring the SSL VPN clientUsing the SSL VPN Virtual Desktop SSL VPN Virtual Desktop applicationTo download and run the SSL VPN Virtual Desktop application Configuring the SSL VPN client To download the SSL VPN Virtual Desktop, select Using the SSL VPN standalone tunnel clients To connect to a web server from the Tools areaTo ping a host or server behind the FortiGate unit To download the SSL VPN standalone tunnel client Windows Firmware Images selection on Fortinet customer support siteFortiClientSSLVPNSetup3.0.384.exe or Server Address PasswordSave user name and password , and Keep connection alive UsernameTo download the SSL VPN standalone tunnel client Linux Configuring the SSL VPN client Configuring a FortiGate SSL VPN To use the SSL VPN standalone tunnel client Linux User Enter your user name PasswordAdvanced settings ServerTo uninstall the SSL VPN standalone tunnel client Linux To download the SSL VPN standalone tunnel client MacOSUse Client File Path Configuring the SSL VPN client To uninstall the SSL VPN standalone tunnel client MacOS To use the SSL VPN standalone tunnel client MacOSConfiguring SSL VPN settings Enabling SSL VPN connections and editing SSL VPN settingsSee Specifying the cipher suite for SSL negotiations Go to System Admin Settings Specifying a port number for web portal connectionsSpecifying an IP address range for tunnel-mode clients Setting the idle timeout setting Specifying the cipher suite for SSL negotiationsTo add a custom caption Go to VPN SSL Config Setting the client authentication timeout settingAdding Wins and DNS services for clients Adding a custom caption to the web portal homeConfiguring user accounts and SSL VPN user groups Customizing the web portal loginDisable To create a user account in the Local domainUser Name To create a user group Configuring user accounts and SSL VPN user groups Configuring firewall policies Configuring firewall addresses Configuring Web-only firewall policiesTo specify the destination IP address To define the firewall policy for web-only mode connections Configuring tunnel-mode firewall policies To specify the source IP addressSubnet2 To define the firewall policy for tunnel-mode operationsConfiguring SSL VPN event-logging User AuthenticationAvailable Groups To view SSL VPN event logs Go to Log&Report Log Access Monitoring active SSL VPN sessionsDelete Configuring SSL VPN bookmarks and bookmark groupsViewing the SSL VPN bookmark list See also Configuring SSL VPN bookmarks Create New BookmarkConfiguring SSL VPN bookmark groups Viewing the SSL VPN Bookmark Groups listAssigning SSL VPN bookmark groups to SSL VPN users Variable Configuration ExampleSSL VPN host OS patch check DescriptionSSL VPN configuration for unique access permissions Enable SSL-VPN Settings Group1 user group attributes Source/destination firewall addresses Public IP To view the SSL VPN policies, go to Firewall Policy SSL VPN virtual interface ssl.root Firewall policy listInternet browsing policy Source Ssl.root Source address Peer network policy Source Ssl.root Source addressSSL VPN dropping connections SSL VPN dropping connections SSL VPN dropping connections Connecting to the FortiGate unit To log in to the FortiGate secure Http gatewayWeb portal home page features FortiGate SSL VPN Remote Access Web Portal Launching web portal applications URL re-writingBookmark Adding a bookmark to the My Bookmarks listAdd Bookmark DetailsTitle Host Name/IP, or Shared File FolderTo add a telnet connection and start a telnet session 10.10.10.10To add an FTP connection and start an FTP session To add a SMB/CIFS connection and start a SMB session Launching web portal applications To add a VNC connection and start a VNC session To add a RDP connection and start a RDP session Working with the web portal To add a SSH connection and start a SSH session 192.168.1.3See also Tunnel-mode features Starting a session from the Tools areaTo start a telnet session from the Tools area Working with the ActiveX/Java Platform plug-in To download and install the ActiveX/Java Platform plugin To initiate a VPN tunnel with the FortiGate unitUninstalling the ActiveX/Java Platform plugin To uninstall the ActiveX/Java Platform pluginLogging out Logging out Index URL Index Page