Date post: | 15-Jan-2016 |
Category: |
Documents |
Upload: | benjamin-hart |
View: | 218 times |
Download: | 0 times |
SSL VPN
Module Objectives
• By the end of this module participants will be able to:• Identify the VPN technologies available on the
FortiGate device
• Identify and configure the SSL VPN operating modes
• Define an SSL VPN user group
• Configure SSL VPN portals
• Configure firewall policies and authentication rules for SSL VPNs
Virtual Private Networks (VPN)
CorporateOffice
BranchOffice
VPN
Virtual Private Networks (VPN)
CorporateOffice
BranchOffice
VPN
•Use public network to provide access to private network• Create secure tunnel to protect data transferred between offices, or allow users to access private data from remote locations
FortiGate VPN
•Typically used to secure web transactions•HTTPS link created to securely transmit application data between client and server•Client signs on through secure web page (SSL VPN portal) on the FortiGate device
VPN
SSL VPN
•Well suited for network-based legacy applications•Secure tunnel created between two host devices• IPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients
IPSec VPN
SSL VPN Web-Only Mode
Connection of remote user to SSL VPN Portal (HTTPS Web Site)Tunnel created
AuthenticatePortal web page presented
Click bookmark to access resource
Click here to read more about FortiGate SSL VPN operating modes
SSL VPN Tunnel Mode
Enter URL of SSL VPN Portal
Tunnel created
Authenticate
Portal web page presented
Fortinet SSL VPN Client downloaded
Click here to read more about FortiGate SSL VPN operating modes
Resources accessed
User Groups
Allow SSL-VPN Access
LondonChicagoParis
Firewall user group
Authentication
Username and Password (one factor)
FortiToken (two factor)+
Portals
LondonChicagoParis
Web access Tunnel access Full access
SSL VPN Server Certificate
• Certificate presented to client initiating SSL VPN session• FortiGate device uses a self-signed certificate by default
•Use certificates issued by trusted Certificate Authority to avoid web browser security warnings
Encryption Key Algorithm
• Level of encryption used for SSL VPN connections• High, Default, Low
• The default setting is RC4 (128 bits) and higher• If set to High, SSL VPN connections with clients that cannot meet this standard will fail
SSL VPN Web-only Mode Configuration
• Enable SSL VPN on the FortiGate unit• Create an SSL VPN user group and set SSL VPN portal type to web-access• Add users to SSL VPN user group• Create an SSL VPN firewall policy• Edit authentication rule in firewall policy to add SSL VPN user groups and required protocols
SSL VPN Tunnel Mode Configuration
• Enable SSL VPN and select IP Pool• Create an SSL VPN user group and set SSL VPN portal type:• tunnel-access or full-access
• Create a static route• Destination = the IP Pool
• Device = ssl.root
• Add users to SSL VPN user group• Create an SSL VPN firewall policy to authenticate the users• Add SSL VPN user groups and required protocols
• Create at least one additional firewall policy• Source = sslvpn tunnel interface
• Destination = the internal network
• Action is ACCEPT
Web Portal Interface
•Web page displayed when client logs into SSL VPN• Includes widgets to access functionality on the portal (such as bookmarks and connection tools)• Software download option for tunnel mode•Default SSL VPN web portal page is accessible at:https://<FortiGate IP address>:10443
(port 443 can be used in actual deployments as this port is typically open on firewalls)
Full-Access Web Portal Interface
Tunnel Mode Split-Tunneling
•Only traffic destined for the tunnel IP range network will be routed over the SSL VPN• If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface• Associated firewall policies must exist
Client Integrity Checking
• SSL VPN gateway checks client system•Detects client protection applications (for example, antivirus and personal firewall)•Determines state of applications (active/inactive, current version number and signature updates)• Examples include Cisco Network Admission Control (NAC), MS Network Access Protection (NAP), Trusted Computing Group’s (TCG) Trusted Network Connect
Client Integrity Checking
Client Integrity Checking
• Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors)• Requires administrators to determine
appropriate version/signature versions and policy• Easily outdated, limiting the
protection provided
SSL VPN Group
• The SSL VPN group will be created with full-access and appropriate users selected
• The SSL VPN Active X control only needs to be downloaded once
SSL VPN Tunnel Mode Connection
• A new network connection called fortissl is created• The connection obtains a virtual IP address• This virtual adapter becomes the preferred default
route if split tunneling is disabled
• The web portal page will display the status of the SSL VPN client ActiveX control• The portal web page must remain open for the tunnel to function
SSL VPN Client Port Forward
• Port Forward Mode extends applications supported by Web Application Mode• Application Types:• PortForward: for generic port forward application
• Citrix: for Citrix server web interface access
• RDPNative: for Microsoft Windows native RDP client over port forward
• Configured though the CLI using:config vpn ssl web portal
edit “SSL Access”
set allow-access citrix rdpnative portforward
end
SSL VPN Client Port Forward
SSL VPN IPv6 Support
SSL-VPN Policy De-Authentication
• Firewall policy authentication session is associated with SSL VPN tunnel session• Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user• Prevents reuse of authenticated SSL VPN firewall
policies (not yet expired) by a different user after the initial user terminates their SSL VPN tunnel session
SSL VPN Access Modes
Web Mode
• No client software required (web browser only)
• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)
• Java applets for RDP, VNC, TELNET, SSH
Web Mode
• No client software required (web browser only)
• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)
• Java applets for RDP, VNC, TELNET, SSH
Tunnel Mode
• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)
• Requires admin/root privilege to install layer-3 tunnel adaptor
Tunnel Mode
• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)
• Requires admin/root privilege to install layer-3 tunnel adaptor
Port Forward Mode
• Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL
• Downloaded to client PC and installed without admin/root privileges
• Client App must point to Java applet
Port Forward Mode
• Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL
• Downloaded to client PC and installed without admin/root privileges
• Client App must point to Java applet
Labs
• Lab - SSL VPN• Configuring SSL VPN for Web Access
• Using the SSL VPN for RDP Access
• Configuring the SSL VPN Tunnel Mode with Split Tunneling
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module