SSL VPN

Module Objectives

• By the end of this module participants will be able to:• Identify the VPN technologies available on the

FortiGate device

• Identify and configure the SSL VPN operating modes

• Define an SSL VPN user group

• Configure SSL VPN portals

• Configure firewall policies and authentication rules for SSL VPNs

Virtual Private Networks (VPN)

CorporateOffice

BranchOffice

VPN

Virtual Private Networks (VPN)

CorporateOffice

BranchOffice

VPN

•Use public network to provide access to private network• Create secure tunnel to protect data transferred between offices, or allow users to access private data from remote locations

FortiGate VPN

•Typically used to secure web transactions•HTTPS link created to securely transmit application data between client and server•Client signs on through secure web page (SSL VPN portal) on the FortiGate device

VPN

SSL VPN

•Well suited for network-based legacy applications•Secure tunnel created between two host devices• IPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients

IPSec VPN

SSL VPN Web-Only Mode

Connection of remote user to SSL VPN Portal (HTTPS Web Site)Tunnel created

AuthenticatePortal web page presented

Click bookmark to access resource

Click here to read more about FortiGate SSL VPN operating modes

SSL VPN Tunnel Mode

Enter URL of SSL VPN Portal

Tunnel created

Authenticate

Portal web page presented

Fortinet SSL VPN Client downloaded

Click here to read more about FortiGate SSL VPN operating modes

Resources accessed

User Groups

Allow SSL-VPN Access

LondonChicagoParis

Firewall user group

Authentication

Username and Password (one factor)

FortiToken (two factor)+

Portals

LondonChicagoParis

Web access Tunnel access Full access

SSL VPN Server Certificate

• Certificate presented to client initiating SSL VPN session• FortiGate device uses a self-signed certificate by default

•Use certificates issued by trusted Certificate Authority to avoid web browser security warnings

Encryption Key Algorithm

• Level of encryption used for SSL VPN connections• High, Default, Low

• The default setting is RC4 (128 bits) and higher• If set to High, SSL VPN connections with clients that cannot meet this standard will fail

SSL VPN Web-only Mode Configuration

• Enable SSL VPN on the FortiGate unit• Create an SSL VPN user group and set SSL VPN portal type to web-access• Add users to SSL VPN user group• Create an SSL VPN firewall policy• Edit authentication rule in firewall policy to add SSL VPN user groups and required protocols

SSL VPN Tunnel Mode Configuration

• Enable SSL VPN and select IP Pool• Create an SSL VPN user group and set SSL VPN portal type:• tunnel-access or full-access

• Create a static route• Destination = the IP Pool

• Device = ssl.root

• Add users to SSL VPN user group• Create an SSL VPN firewall policy to authenticate the users• Add SSL VPN user groups and required protocols

• Create at least one additional firewall policy• Source = sslvpn tunnel interface

• Destination = the internal network

• Action is ACCEPT

Web Portal Interface

•Web page displayed when client logs into SSL VPN• Includes widgets to access functionality on the portal (such as bookmarks and connection tools)• Software download option for tunnel mode•Default SSL VPN web portal page is accessible at:https://<FortiGate IP address>:10443

(port 443 can be used in actual deployments as this port is typically open on firewalls)

Full-Access Web Portal Interface

Tunnel Mode Split-Tunneling

•Only traffic destined for the tunnel IP range network will be routed over the SSL VPN• If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface• Associated firewall policies must exist

Client Integrity Checking

• SSL VPN gateway checks client system•Detects client protection applications (for example, antivirus and personal firewall)•Determines state of applications (active/inactive, current version number and signature updates)• Examples include Cisco Network Admission Control (NAC), MS Network Access Protection (NAP), Trusted Computing Group’s (TCG) Trusted Network Connect

Client Integrity Checking

Client Integrity Checking

• Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors)• Requires administrators to determine

appropriate version/signature versions and policy• Easily outdated, limiting the

protection provided

SSL VPN Group

• The SSL VPN group will be created with full-access and appropriate users selected

• The SSL VPN Active X control only needs to be downloaded once

SSL VPN Tunnel Mode Connection

• A new network connection called fortissl is created• The connection obtains a virtual IP address• This virtual adapter becomes the preferred default

route if split tunneling is disabled

• The web portal page will display the status of the SSL VPN client ActiveX control• The portal web page must remain open for the tunnel to function

SSL VPN Client Port Forward

• Port Forward Mode extends applications supported by Web Application Mode• Application Types:• PortForward: for generic port forward application

• Citrix: for Citrix server web interface access

• RDPNative: for Microsoft Windows native RDP client over port forward

• Configured though the CLI using:config vpn ssl web portal

edit “SSL Access”

set allow-access citrix rdpnative portforward

end

SSL VPN Client Port Forward

SSL VPN IPv6 Support

SSL-VPN Policy De-Authentication

• Firewall policy authentication session is associated with SSL VPN tunnel session• Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user• Prevents reuse of authenticated SSL VPN firewall

policies (not yet expired) by a different user after the initial user terminates their SSL VPN tunnel session

SSL VPN Access Modes

Web Mode

• No client software required (web browser only)

• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)

• Java applets for RDP, VNC, TELNET, SSH

Web Mode

• No client software required (web browser only)

• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)

• Java applets for RDP, VNC, TELNET, SSH

Tunnel Mode

• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)

• Requires admin/root privilege to install layer-3 tunnel adaptor

Tunnel Mode

• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)

• Requires admin/root privilege to install layer-3 tunnel adaptor

Port Forward Mode

• Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL

• Downloaded to client PC and installed without admin/root privileges

• Client App must point to Java applet

Port Forward Mode

• Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL

• Downloaded to client PC and installed without admin/root privileges

• Client App must point to Java applet

Labs

• Lab - SSL VPN• Configuring SSL VPN for Web Access

• Using the SSL VPN for RDP Access

• Configuring the SSL VPN Tunnel Mode with Split Tunneling

Click here for step-by-step instructions on completing this lab

Student Resources

Click here to view the list of resources used in this module