Contents
Contents
Introduction ........................................................................................ 7
About FortiGate SSL VPN................................................................................. 7
About this document......................................................................................... 8
Document conventions.................................................................................. 8
FortiGate documentation.................................................................................. 9
Related documentation................................................................................... 10
FortiManager documentation ...................................................................... 10
FortiClient documentation ........................................................................... 11
FortiMail documentation.............................................................................. 11
FortiAnalyzer documentation ...................................................................... 11
Fortinet Knowledge Center ........................................................................ 11
Relative ease of use ............................................................................. 14
Access control ...................................................................................... 14
SSL VPN modes of operation......................................................................... 15
Port-forwarding mode.................................................................................. 16
Client requirements............................................................................... 17
Tunnel mode .............................................................................................. 17
Configuration overview................................................................................... 20
Configuring the SSL VPN client ..................................................................... 20
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
3
Contents
Configuring SSL VPN settings....................................................................... 36
Setting the idle timeout setting ................................................................... 40
Configuring firewall policies .......................................................................... 45
Configuring pass through for port-forwarding mode............................. 48
SSL VPN host OS patch check....................................................................... 56
groups......................................................................................................... 58
SSL VPN virtual interface (ssl.root)............................................................... 62
SSL VPN dropping connections .................................................................... 64
Connecting to the FortiGate unit .................................................................. 65
Web portal home page features .................................................................... 66
URL re-writing....................................................................................... 68
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
4
Contents
Tunnel-mode features .................................................................................... 80
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
5
Contents
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
6
Introduction
About FortiGate SSL VPN
Introduction
This section introduces you to FortiGate™ Secure Sockets Layer (SSL) VPN
technology and provides supplementary information about Fortinet™ publications.
The following topics are included in this section:
•
•
•
•
•
About FortiGate SSL VPN
FortiGate SSL VPN technology makes it safe to do business over the Internet. In
addition to encrypting and securing information sent from a web browser to a web
server, FortiGate SSL VPN can be used to encrypt most Internet-based traffic.
With the FortiGate unit’s built-in SSL VPN capabilities, small home offices,
medium-sized businesses, enterprises, and service providers can ensure the
confidentiality and integrity of data transmitted over the Internet. The FortiGate
unit provides enhanced authentication and restricted access to company network
resources and services.
The two modes of SSL VPN operation, supported in NAT/Route mode only, are:
•
•
web-only mode, for thin remote clients equipped with a web browser only
tunnel mode, for remote computers that run a variety of client and server
applications
When the FortiGate unit provides services in web-only mode, a secure web
connection between the remote client and the FortiGate unit is established using
the SSL VPN security in the FortiGate unit and the SSL security in the web
browser. After the connection has been established, the FortiGate unit provides
access to selected services and network resources through a web portal.
Where users have complete administrative rights over their computers and use a
variety of applications, tunnel mode allows remote clients to access the local
internal network as if they were connected to the network directly. In tunnel mode,
a secure SSL connection is established initially for the FortiGate unit to download
SSL VPN client software (an ActiveX plugin) to the web browser. After the user
installs the SSL VPN client software, they can initiate a VPN tunnel with the
FortiGate unit whenever the SSL connection is open.
When the SSL VPN feature is used, all client traffic is encrypted and sent to the
SSL VPN. This includes both traffic intended for the private network and Internet
traffic that is normally sent unencrypted. Split tunneling ensures that only the
traffic for the private network is sent to the SSL VPN gateway. Internet traffic is
sent through the usual unencrypted route. This conserves bandwith and alleviates
bottlenecks. The split tunneling feature is not enabled by default.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
7
About this document
Introduction
Whether to use web-only or tunnel mode depends on the number and type of
applications installed on the remote computer. Access to any application not
supported through web-only mode can be supported through tunnel mode. For
more information about these modes of operation, see “Configuring a FortiGate
About this document
This document explains how to configure SSL VPN operation using the web-
based manager and contains the following chapters:
•
Configuring a FortiGate SSL VPN describes the two modes of operation,
recommends a deployment topology, and provides an overview of the
associated infrastructure dependencies. The high-level steps for configuring
each mode of operation are also included with cross-references to underlying
procedures. This chapter also details the basic administrative tasks needed to
support the two modes of operation, and describes the additional step-by-step
procedures needed to configure each mode.
•
Working with the web portal introduces the web portal applications and
explains how to work with them. The chapter also explains how to install the
ActiveX plugin and initiate a VPN tunnel when tunnel mode is enabled.
Document conventions
The following document conventions are used in this guide:
•
In the examples, private IP addresses are used for both private and public IP
addresses.
•
Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
Caution: Warns you about commands or procedures that could have unexpected or
!
undesirable results including loss of data or damage to equipment.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
8
Introduction
FortiGate documentation
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Example
Keyboard input
Code examples
In the Name field, type admin.
config sys global
set ips-open enable
end
CLI command syntax
config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names
File content
FortiGate SSL VPN User Guide
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Menu commands
Program output
Variables
Go to VPN > SSL > Config.
Welcome!
<group_name>
FortiGate documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
•
FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
FortiGate Installation Guide
•
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.
•
•
FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
9
Related documentation
Introduction
•
FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
Message Reference describes the structure of FortiGate log messages and
provides information about the log messages that are generated by FortiGate
units.
•
•
•
•
FortiGate High Availability User Guide
Contains in-depth information about the FortiGate high availability feature and
the FortiGate clustering protocol.
FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Prevention System settings
and how the FortiGate IPS deals with some common attacks.
FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the web-
based manager.
FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and
describes how to configure web-only mode and tunnel-mode SSL VPN access
for remote users through the web-based manager.
•
•
FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and restoring installed
certificates and private keys.
•
FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.
Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
•
FortiManager QuickStart Guide
Explains how to install the FortiManager Console, set up the FortiManager
Server, and configure basic settings.
•
•
FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.
FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the FortiManager Console as you work.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
10
Introduction
Related documentation
FortiClient documentation
•
FortiClient Host Security User Guide
Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up
firewall policies.
•
FortiClient Host Security online help
Provides information and procedures for using and configuring the FortiClient
software.
FortiMail documentation
•
FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in gateway
mode and server mode, including how to configure the unit; create profiles and
policies; configure antispam and antivirus filters; create user accounts; and set
up logging and reporting.
•
•
FortiMail online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
FortiMail Web Mail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; and how to
configure message display preferences.
FortiAnalyzer documentation
•
FortiAnalyzer Administration Guide
Describes how to install and configure a FortiAnalyzer unit to collect FortiGate
and FortiMail log files. It also describes how to view FortiGate and FortiMail log
files, generate and view log reports, and use the FortiAnalyzer unit as a NAS
server.
•
FortiAnalyzer online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
Fortinet Tools and Documentation CD
All Fortinet documentation is available from the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. For up-to-date versions of Fortinet documentation see the Fortinet
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
11
Customer service and technical support
Introduction
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to [email protected].
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
to learn about the technical support services that Fortinet provides.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
12
Configuring a FortiGate SSL VPN
Comparison of SSL and IPSec VPN technology
Configuring a FortiGate SSL VPN
This section provides a comparison of SSL and IPSec VPN technology, in addition
to an overview of the two modes of SSL VPN operation. The high-level steps for
configuring each mode are also included with cross-references to underlying
procedures.
The following topics are included in this section:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Comparison of SSL and IPSec VPN technology
The FortiGate unit supports both SSL and IPSec VPN technologies. Each
combines encryption and VPN gateway functions to create private communication
channels over the Internet, which helps to defray physical network costs. Both
enable you to define and deploy network access and firewall policies using a
single management tool. In addition, both support a simple client/user
authentication process (including optional X.509 security certificates). You have
the freedom to use both technologies; however, one may be better suited to the
requirements of your situation.
In general, IPSec VPNs are a good choice for site-to-site connections where
appliance-based firewalls are used to provide network protection, and company
sanctioned client computers are issued to users. SSL VPNs are a good choice for
roaming users who depend on a wide variety of thin-client computers to access
enterprise applications and/or company resources from a remote location.
SSL and IPSec VPN tunnels may operate simultaneously on the same FortiGate
unit.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
13
Comparison of SSL and IPSec VPN technology
Configuring a FortiGate SSL VPN
Legacy versus web-enabled applications
IPSec is well suited to network-based legacy applications that are not web-based.
As a layer 3 technology, IPSec creates a secure tunnel between two host devices.
IP packets are encapsulated by the VPN client and server software running on the
hosts.
SSL is typically used for secure web transactions in order to take advantage of
web-enabled IP applications. After a secure HTTP link has been established
between the web browser and web server, application data is transmitted directly
between selected client and server applications through the tunnel.
Authentication differences
IPSec is a well-established technology with robust features that support many
legacy products such as smart cards and biometrics.
SSL supports sign-on to a web portal front-end, from which a number of different
enterprise applications may be accessed. The Fortinet implementation enables
you to assign a specific port for the web portal and to customize the login page if
desired.
Connectivity considerations
IPSec supports multiple connections to the same VPN tunnel—a number of
remote VPN devices effectively become part of the same network.
SSL forms a connection between two end points such as a remote client and an
enterprise network. Transactions involving three (or more) parties are not
supported because traffic passes between client and server applications only.
Relative ease of use
Although managing IPSec VPNs has become easier, configuring SSL VPNs is
simple in comparison. IPSec protocols may be blocked or restricted by some
companies, hotels, and other public places, whereas the SSL protocol is usually
unrestricted.
Client software requirements
Dedicated IPSec VPN software must be installed on all IPSec VPN peers and
clients and the software has to be configured with compatible settings.
To access server-side applications with SSL VPN, the remote user must have a
web browser (Internet Explorer, Netscape, or Mozilla/Firefox), and if Telnet//RDP
are used, Sun Java runtime environment. Tunnel-mode client computers must
also have ActiveX (IE) or Java Platform (Mozilla/Firefox) enabled.
Access control
IPSec VPNs provide secure network access only. Access to the network
resources on a corporate IPSec VPN can be enabled for specific IPSec peers
and/or clients. The amount of security that can be applied to users is limited.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
14
Configuring a FortiGate SSL VPN
SSL VPN modes of operation
SSL VPNs provide secure access to certain applications. Web-only mode
provides remote users with access to server applications from any thin client
computer equipped with a web browser. Tunnel-mode provides remote users with
the ability to connect to the internal network from laptop computers as well as
airport kiosks, Internet cafes, and hotels. Access to SSL VPN applications is
controlled through user groups.
Session failover support
In a FortiGate high availability (HA) cluster with session pickup enabled, session
failover is supported for IPSec VPN tunnels. After an HA failover, IPSec VPN
tunnel sessions will continue with no loss of data.
Session failover is not supported by SSL VPN tunnels, however cookie failover is
supported for communication between the SSL VPN client and the FortiGate unit.
This means that after a failover, the SSL VPN client can re-establish the SSL VPN
session without having to authenticate again. However, all sessions inside the
SSL VPN tunnel with resources behind the FortiGate unit will stop, and will
therefore have to be restarted.
SSL VPN modes of operation
When a remote client connects to the FortiGate unit, the FortiGate unit
authenticates the user based on user name, password, and authentication
domain. A successful login determines the access rights of remote users
according to user group. The user group settings specify whether the connection
You can enable a client integrity checker to scan the remote client. The integrity
checker probes the remote client computer to verify that it is “safe” before access
is granted. Security attributes recorded on the client computer (for example, in the
Windows registry, in specific files, or held in memory due to running processes)
are examined and uploaded to the FortiGate unit.
You can enable a cache cleaner to remove any sensitive data that would
otherwise remain on the remote computer after the session ends. For example, all
cache entries, browser history, cookies, encrypted information related to user
authentication, and any temporary data generated during the session are
removed from the remote computer. If the client’s browser cannot install and run
the cache cleaner, the user is not allowed to access the SSL-VPN portal.
Web-only mode
Web-only mode provides remote users with a fast and efficient way to access
server applications from any thin client computer equipped with a web browser.
Web-only mode offers true clientless network access using any web browser that
has built-in SSL encryption and the Sun Java runtime environment.
Support for SSL VPN web-only mode is built into the FortiOS operating system.
The feature comprises an SSL daemon running on the FortiGate unit, and a web
portal, which provides users with access to network services and resources
including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
15
|