Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
0mr3patch10
Introduction
SSL VPN access is given to users who need temporary access to MWS network, with a more refined control on who has access to what resources. Down-side to this set-up is a limited number of connection due to licenses availability on the Fortigate.
High-level procedures:
Info taken from: http://whitehat.williamlee.org/2010/05/fortigate-ssl-vpn-how-to.html 1) 2) 3) 4) 5) 6) 7) 8) Setup user group(s) that allow SSL VPN access and include intended users Setup user account(s) Setup tunnel mode IP address range Add the tunnel mode IP address range to static route Load the private key and certificate to the box Enable SSL VPN, Specify SSL VPN portal TCP port to use 8443 Create Firewall Policy to allow SSL VPN and/or tunnel mode access Restart Firewall to allow the login from web-site with port 8443
b. c. d. e. f. g. h. i. j. k. l.
Set the Ip Pools to the SSL_VPN_tunnel_ip_range I set the encryption key algorithm to high Change the login port to 8443 from 10443 DNS server 1 to the DC in my LAN (even though its different subnet) 192.168.0.1 DNS server 2 to my ISP 165.21.83.88 WINS server 1 to my DC in my LAN 192.168.0.1 Go to VPN > SSL > Portal this is to enable the tunnel mode settings for connected users There should be 1 policy there you can click SSL VPN. Right-click and choose edit Click Settings Enabled HTTP/HTTPS, RDP, PING, RDPnative, changed theme to Gray, set portal message: Welcome to Our SSL VPN Service At the tunnel mode, click on the pen to edit the settings: i. ii. iii. change IP mode to user group, set ip-pools to SSL_VPN_tunnel_IP_range, and tick on split-tunneling
m. Remember to SAVE the settings or itll not get saved, its at the APPLY button at the top of the page while in the portal screen. 7) 8) For firewall policy, see below in the Firewall Policy Configuration settings and screen-shot Verify all Admin Settings and Restart the Firewall a. b. c. d. e. Go to system > Admin > Settings Check the HTTP, HTTPS port. Ensure that all port configuration is okay. Verify the network interface for WAN1 or WAN2 are set correctly and theres no NAT in between to block the SSL VPN connection Enable PING access, HTTPs, HTTP, FMG-Access on the WAN connection that is used for the VPN Restart the firewall, go to System > Dashboard > Dashboard > Choose Restart
We need to specify server addresses in the network address list. The first step to defining policies is to create the
Name: Server-(something), eg, Server-HR Address: 192,168.1.1/255.255.255.255 Interface: Internal Type: Subnet
2)
I am using WAN2 for my main internet connection. 3) The last and final rule to make the connection work is to allow this:
Note the 29.1 as its a requirement to specify who (which user group) has access to the server.