Fortinet FORTIOS V3.0 MR7 - page 47

Configuring a FortiGate SSL VPN Configuring firewall policies

FortiOS v3.0 MR7 SSL VPN User Guide

01-30007-0348-20080718 47

3From the Type list, select Subnet/IP Range.

4In the Subnet/IP Range field, type the corresponding IP address and subnet mask

(for example, 172.16.10.0/24). If the remote client’s IP address is unknown,

the Subnet/IP Range should be “all”, with 0.0.0.0/0.0.0.0 as the address used.

5In the Interface field, select the interface to the internal (private) network.

6Select OK.

To specify the destination IP address

1Go to Firewall > Address and select Create New.

2In the Address Name field, type a name that represents the local network,

server(s), or host(s) to which IP packets may be delivered (for example,

Subnet_2).

3In the Subnet/IP Range field, type the corresponding IP address (for example,

192.168.22.0/24 for a subnet, or 192.168.22.2/32 for a server or host), or

IP address range (192.168.22.[10-25]).

4In the Interface field, select the interface to the external (public) network.

5Select OK.

To define the firewall policy for tunnel-mode operations

1Go to Firewall > Policy and select Create New.

2Enter these settings:

Note: To provide access to a single host or server, you would type an IP address like

172.16.10.2/32. To provide access to two servers having contiguous IP addresses, you

would type an IP address range like 172.16.10.[4-5].

Source Interface/Zone

Select the FortiGate interface that accepts connections from

remote users (for example, external).

Address Name

Select the name that corresponds to the IP address of the remote

user.

Destination Interface/Zone

Select the FortiGate interface to the local private network (for

example, internal).

Address Name

Select the IP destination address that you defined previously for

the host(s), server(s), or network behind the FortiGate unit (for

example, Subnet_2).

Service Select ANY.

Action Select SSL-VPN.

SSL Client Certificate

Restrictive Select to allow traffic generated by holders of a (shared) group

certificate, for example, a user group containing PKI peers/users.

The holders of the group certificate must be members of an SSL

VPN user group, and the name of that user group must be present

in the Allowed field.

Contents

Main Page Contents Configuring a FortiGate SSL VPN .................................................. 13 Working with the web portal........................................................... 65 Page Page Introduction About FortiGate SSL VPN About this document Document conventions ! Typographic conventions FortiGate documentation Related documentation FortiManager documentation FortiClient documentation FortiMail documentation FortiAnalyzer documentation Fortinet Tools and Documentation CD Fortinet Knowledge Center Customer service and technical support Configuring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technology Legacy versus web-enabled applications Authentication differences Connectivity considerations Relative ease of use Client software requirements SSL VPN modes of operation Web-only mode Web-only mode client requirements Tunnel mode Tunnel-mode client requirements Topology Infrastructure requirements Configuration overview Configuring the SSL VPN client SSL VPN Virtual Desktop application. Using the SSL VPN Virtual Desktop Page Page Using the SSL VPN standalone tunnel clients Page Page Page Page Page Page Page Page Page Page Configuring SSL VPN settings Enabling SSL VPN connections and editing SSL VPN settings Page Specifying a port number for web portal connections Specifying an IP address range for tunnel-mode clients ! Enabling strong authentication through security certificates Specifying the cipher suite for SSL negotiations Setting the idle timeout setting Setting the client authentication timeout setting Adding a custom caption to the web portal home page Adding WINS and DNS services for clients Redirecting a user group to a popup window Customizing the web portal login page Configuring user accounts and SSL VPN user groups Page Page Page Configuring firewall policies Configuring firewall addresses Configuring Web-only firewall policies Page Configuring tunnel-mode firewall policies Page Configuring SSL VPN event-logging Monitoring active SSL VPN sessions Configuring SSL VPN bookmarks and bookmark groups Viewing the SSL VPN bookmark list Configuring SSL VPN bookmarks Viewing the SSL VPN Bookmark Groups list Configuring SSL VPN bookmark groups Assigning SSL VPN bookmark groups to SSL VPN users SSL VPN host OS patch check Configuration Example Granting unique access permissions for SSL VPN tunnel user groups Sample configuration for unique access permissions with tunnel mode user groups Page Page Page SSL VPN virtual interface (ssl.root) To allow ssl users to browse the Internet through the FortiGate unit: To allow SSL-tunnel users to access a policy-based VPN peer network: SSL VPN dropping connections Page Page Working with the web portal Connecting to the FortiGate unit Web portal home page features Page Launching web portal applications URL re-writing Adding a bookmark to the My Bookmarks list Page Page Page Page Page Page To add a RDP connection and start a RDP session 5Select OK. Page Page Page Starting a session from the Tools area Tunnel-mode features Working with the ActiveX/Java Platform plug-in Page Uninstalling the ActiveX/Java Platform plugin Logging out Page Index A B C D K L M N O V W X