Network Router User Manual

ManualsBrandsFortinet ManualsNetwork RouterFORTIOS V3.0 MR7

Table Of Contents

www.fortinet.com

FortiOS v3.0 MR7

SSL VPN User Guide

USER GUIDE

Summary of content (90 pages)

PAGE 1
USER GUIDE FortiOS v3.0 MR7 SSL VPN User Guide www.fortinet.
PAGE 2
FortiGate v3.0 MR7 SSL VPN User Guide 18 July 2008 01-30007-0348-20080718 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
PAGE 3
Contents Contents Introduction ........................................................................................ 7 About FortiGate SSL VPN ................................................................................. 7 About this document......................................................................................... 8 Document conventions.................................................................................. 8 Typographic conventions..........................................
PAGE 4
Contents Configuring SSL VPN settings ....................................................................... 36 Enabling SSL VPN connections and editing SSL VPN settings ................ Specifying a port number for web portal connections ................................ Specifying an IP address range for tunnel-mode clients ............................ Enabling strong authentication through security certificates ...................... Specifying the cipher suite for SSL negotiations .....................
PAGE 5
Contents Tunnel-mode features .................................................................................... 80 Working with the ActiveX/Java Platform plug-in ......................................... 81 Uninstalling the ActiveX/Java Platform plugin ............................................ 83 Logging out ..................................................................................................... 83 Index....................................................................................
PAGE 6
Contents 6 FortiOS v3.
PAGE 7
Introduction About FortiGate SSL VPN Introduction This section introduces you to FortiGate™ Secure Sockets Layer (SSL) VPN technology and provides supplementary information about Fortinet™ publications. The following topics are included in this section: • About FortiGate SSL VPN • About this document • FortiGate documentation • Related documentation • Customer service and technical support About FortiGate SSL VPN FortiGate SSL VPN technology makes it safe to do business over the Internet.
PAGE 8
About this document Introduction Whether to use web-only or tunnel mode depends on the number and type of applications installed on the remote computer. Access to any application not supported through web-only mode can be supported through tunnel mode. For more information about these modes of operation, see “Configuring a FortiGate SSL VPN” on page 13.
PAGE 9
Introduction FortiGate documentation Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Name field, type admin.
PAGE 10
Related documentation Introduction • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.
PAGE 11
Introduction Related documentation FortiClient documentation • FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies. • FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software.
PAGE 12
Customer service and technical support Introduction Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.
PAGE 13
Configuring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN This section provides a comparison of SSL and IPSec VPN technology, in addition to an overview of the two modes of SSL VPN operation. The high-level steps for configuring each mode are also included with cross-references to underlying procedures.
PAGE 14
Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN Legacy versus web-enabled applications IPSec is well suited to network-based legacy applications that are not web-based. As a layer 3 technology, IPSec creates a secure tunnel between two host devices. IP packets are encapsulated by the VPN client and server software running on the hosts. SSL is typically used for secure web transactions in order to take advantage of web-enabled IP applications.
PAGE 15
Configuring a FortiGate SSL VPN SSL VPN modes of operation SSL VPNs provide secure access to certain applications. Web-only mode provides remote users with access to server applications from any thin client computer equipped with a web browser. Tunnel-mode provides remote users with the ability to connect to the internal network from laptop computers as well as airport kiosks, Internet cafes, and hotels. Access to SSL VPN applications is controlled through user groups.
PAGE 16
SSL VPN modes of operation Configuring a FortiGate SSL VPN In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.
PAGE 17
Configuring a FortiGate SSL VPN Topology When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit.
PAGE 18
Topology Configuring a FortiGate SSL VPN Figure 1: Example SSL VPN configuration Subnet_1 172.16.10.0/24 Remote client Internet HTTP/HTTPS 172.16.10.2 wan1 Telnet 172.16.10.3 FortiGate_1 dmz 172.16.10.1 FTP 172.16.10.4 SMB/CIFS 172.16.10.5 internal 192.168.22.1 Subnet_2 192.168.22.0/24 To provide remote clients with access to all of the servers on Subnet_1 from the Internet, you would configure FortiGate_1 as follows: • Create an SSL VPN user group and include the remote users in the user group.
PAGE 19
Configuring a FortiGate SSL VPN Configuration overview Configuration overview Before you begin, install your choice of HTTP/HTTPS, telnet, SSH, FTP, SMB/CIFS, VNC, and/or RDP server applications on the internal network. As an alternative, these services may be accessed remotely through the Internet. All services must be running. Users must have individual user accounts to access the servers (these user accounts are not related to FortiGate user accounts or FortiGate user groups).
PAGE 20
Configuring the SSL VPN client Configuring a FortiGate SSL VPN SSL VPN Virtual Desktop application. The virtual desktop application creates a virtual desktop on a user's PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the ssl vpn web portal.
PAGE 21
Configuring a FortiGate SSL VPN Configuring the SSL VPN client The FortiGate index page opens. 4 Select v3.0 and then MR7. This takes you to the page with firmware images for MR7. 5 Select SSL VPN Clients. FortiOS v3.
PAGE 22
Configuring the SSL VPN client Configuring a FortiGate SSL VPN 6 To download the SSL VPN Virtual Desktop, select SSLVPNVirtualDesktopSetup_3.0.384.exe and follow the InstallShield Wizard instructions. Figure 2: FortiClient SSL VPN InstallShield Wizard welcome screen 7 To run the SSL VPN Virtual Desktop application, select Start > All Programs > FortiNet > SSL VPN Virtual Desktop > SSL VPN Virtual Desktop. The FortiGate unit may offer you a self-signed security certificate.
PAGE 23
Configuring a FortiGate SSL VPN Configuring the SSL VPN client The FortiGate unit will redirect your web browser to the FortiGate SSL VPN Remote Access Web Portal home page automatically. The fields in the Tools area enable you to specify the URL or IP address of a host computer. If required, you can ping a host computer behind the FortiGate unit to verify connectivity to that host.
PAGE 24
Configuring the SSL VPN client Configuring a FortiGate SSL VPN To download the SSL VPN standalone tunnel client (Windows) 1 Go to the Fortinet Technologies home page at http://support.fortinet.com/ and select Support. 2 Under Support, enter your user name and password. This takes you to the Fortinet customer support site. 3 Select Firmware Images and then FortiGate. Figure 3: Firmware Images selection on Fortinet customer support site The FortiGate index page opens.
PAGE 25
Configuring a FortiGate SSL VPN Configuring the SSL VPN client This takes you to the page with firmware images for MR7. 5 Select SSL VPN Clients. 6 To download the SSL VPN Windows client application, select FortiClientSSLVPNSetup_3.0.384.exe or FortiClientSSLVPN_3.0_384.msi and follow the InstallShield Wizard instructions. FortiOS v3.
PAGE 26
Configuring the SSL VPN client Configuring a FortiGate SSL VPN To use the SSL VPN standalone tunnel client (Windows) 1 Go to Start > All Programs > Fortinet > FortiClient SSL VPN > FortiClient SSL VPN. Server Address Enter the IP address of the server you need to access. Username Enter your user name. Password Enter the password associated with your user account.
PAGE 27
Configuring a FortiGate SSL VPN Configuring the SSL VPN client To download the SSL VPN standalone tunnel client (Linux) 1 Go to the Fortinet Technologies home page at http://support.fortinet.com/ and select Support. 2 Under Support, enter your user name and password. This takes you to the Fortinet customer support site. 3 Select Firmware Images and then FortiGate. The FortiGate index page opens. 4 Select v3.0 and then MR7. FortiOS v3.
PAGE 28
Configuring the SSL VPN client Configuring a FortiGate SSL VPN This takes you to the page with firmware images for MR7. 5 Select SSL VPN Clients. 6 To download the SSL VPN standalone tunnel client (Linux), select forticlientsslvpn_linux_3.0.384.tar.gz, extract the package file to a folder and run the client program ‘forticlientsslvpn’.
PAGE 29
Configuring a FortiGate SSL VPN Configuring the SSL VPN client The FortiClient SSL VPN tunnel client (Linux) opens. After this initial setup is complete, a user with a normal (non-administrator) account can establish a SSL VPN tunnel session. FortiOS v3.
PAGE 30
Configuring the SSL VPN client Configuring a FortiGate SSL VPN To use the SSL VPN standalone tunnel client (Linux) 1 Go to the folder that you downloaded the Linux tunnel client application into, and double-click on ‘forticlientsslvpn’. The FortiClient SSL VPN tunnel client (Linux) opens. Server Enter the IP address of the server you need to access. User Enter your user name. Password Enter the password associated with your user account.
PAGE 31
Configuring a FortiGate SSL VPN Configuring the SSL VPN client Use Client File Path Certificate (A PKCS #12 File) File Password Enter the path to the certificate file, or browse to the location of the file. Enter the password associated with the certificate file. Use Proxy Select to make it necessary for the user to utilize a proxy server. Proxy Enter the IP address of the proxy server and the port identifier. User Enter the user name of the client using the proxy server.
PAGE 32
Configuring the SSL VPN client Configuring a FortiGate SSL VPN 4 Select v3.0 and then MR7. This takes you to the page with firmware images for MR7. 5 Select SSL VPN Clients. 6 To download the SSL VPN MacOS client application, double-click on the client file forticlientsslvpn_macosx_3.0.384.dmg. The Mac mounts the disk image as ‘forticlientsslvpn’. 7 Double-click the forticlientsslvpn.pkg file inside the disk image and follow the instructions.
PAGE 33
Configuring a FortiGate SSL VPN Configuring the SSL VPN client To use the SSL VPN standalone tunnel client (MacOS) 1 Go to the Applications folder and double-click on forticlientsslvpn. The FortiClient SSL VPN tunnel client (MacOS) opens. To uninstall the SSL VPN standalone tunnel client (MacOS) 2 In the Applications folder, select ‘forticlientsslvpn’ and drag it into the Trash. After you empty the Trash folder, the installed program is removed from the user computer. FortiOS v3.
PAGE 34
Configuring SSL VPN settings Configuring a FortiGate SSL VPN Configuring SSL VPN settings You can configure and manage the FortiGate unit through a secure HTTP (HTTPS) connection from any computer running a web browser. For information about how to connect to the web-based manager, see “Connecting to the webbased manager” in the FortiGate Installation Guide.
PAGE 35
Configuring a FortiGate SSL VPN Configuring SSL VPN settings Figure 5: Edit SSL VPN settings Enable SSL VPN Select to enable SSL VPN connections. Tunnel IP Range Specify the range of IP addresses reserved for tunnelmode SSL VPN clients. Type the starting and ending address that defines the range of reserved IP addresses. See Specifying an IP address range for tunnel-mode clients. Server Certificate Select the signed server certificate to use for authentication purposes.
PAGE 36
Configuring SSL VPN settings Configuring a FortiGate SSL VPN Idle Timeout Type the period of time (in seconds) to control how long the connection can remain idle before the system forces the user to log in again. The range is from 10 to 28800 seconds. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up. See Setting the idle timeout setting.
PAGE 37
Configuring a FortiGate SSL VPN Configuring SSL VPN settings To reserve a range of IP addresses for tunnel-mode clients 1 Go to VPN > SSL > Config. 2 In the Tunnel IP Range fields, type the starting and ending IP addresses (for example, 10.254.254.80 to 10.254.254.100). 3 Select Apply. Enabling strong authentication through security certificates The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3).
PAGE 38
Configuring SSL VPN settings Configuring a FortiGate SSL VPN Setting the client authentication timeout setting The client authentication timeout setting controls how long an authenticated connection will remain connected. When this time expires, the system forces the remote client to authenticate again. Note: The default value is 1500 seconds. You can only modify this timeout value in the CLI.
PAGE 39
Configuring a FortiGate SSL VPN Configuring user accounts and SSL VPN user groups 2 Select the Edit icon in the row that corresponds to the SSL VPN user group. 3 Expand SSL-VPN User Group Options. 4 In the Redirect URL field, type the URL of the web page that you want to display in the popup window. 5 Select OK. Customizing the web portal login page The HTML code making up the web portal login page can be edited. Before you begin, copy the default text to a separate text file for safe-keeping.
PAGE 40
Configuring user accounts and SSL VPN user groups Configuring a FortiGate SSL VPN You can choose to use a plain text password for authentication through the FortiGate unit (Local domain), forward authentication requests to an external RADIUS or LDAP server, or utilize PKI certificate authentication. If password protection will be provided through a RADIUS or LDAP server, you must configure the FortiGate unit to forward authentication requests to the RADIUS or LDAP server.
PAGE 41
Configuring a FortiGate SSL VPN Configuring user accounts and SSL VPN user groups To create a user group 1 Go to User > User Group and select Create New. 2 In the Name field, type a name for the group (for example, Web-only_group). 3 From the Type drop-down list, select SSL VPN. 4 One at a time, select user names from the Available Users/Groups list, and select the right-pointing arrow to move them to the Members list. 5 Select the blue triangle to expand the SSL-VPN User Group Options.
PAGE 42
Configuring user accounts and SSL VPN user groups Configuring a FortiGate SSL VPN 7 To activate the split tunnel feature, select Enable Split Tunneling. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. 8 To override the Tunnel IP range defined in VPN > SSL > Config, enter the starting and ending IP address range for this group in the Restrict tunnel IP range for this group fields.
PAGE 43
Configuring a FortiGate SSL VPN Configuring firewall policies Table 1: AV/Firewall supported product detection Product AV Firewall Norton Internet Security 2006 Y Y Trend Micro PC-cillin Y Y McAfee Y Y Sophos Anti-Virus Y N Panda Platinum 2006 Internet Security Y Y F-Secure Y Y Secure Resolutions Y Y Cat Computer Services Y Y AhnLab Y Y Kaspersky Y Y ZoneAlarm Y Y Require Virtual Desktop Connection prevents a user from establishing a SSL VPN session without using the SS
PAGE 44
Configuring firewall policies Configuring a FortiGate SSL VPN • specifying the level of SSL encryption to use and the authentication method • binding the user group to the firewall policy Note: In tunnel mode, it is necessary to create a DENY firewall policy that immediately follows the SSL VPN policy. If this policy is not created, SSL VPN tunnels will use other ACCEPT firewall policies.
PAGE 45
Configuring a FortiGate SSL VPN Configuring firewall policies Note: To provide access to a single host or server, you would type an IP address like 172.16.10.2/32. To provide access to two servers having contiguous IP addresses, you would type an IP address range like 172.16.10.[4-5]. 5 Select OK. To define the firewall policy for web-only mode connections 1 Go to Firewall > Policy and select Create New.
PAGE 46
Configuring firewall policies Configuring a FortiGate SSL VPN Configuring tunnel-mode firewall policies Follow the procedures in this section to complete a tunnel-mode configuration. These procedures assume that you have already completed the procedures found in “Configuring user accounts and SSL VPN user groups” on page 42. When a remote client initiates a connection to the FortiGate unit, the FortiGate unit authenticates the client and determines which mode of operation is in effect for the user.
PAGE 47
Configuring a FortiGate SSL VPN Configuring firewall policies 3 From the Type list, select Subnet/IP Range. 4 In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for example, 172.16.10.0/24). If the remote client’s IP address is unknown, the Subnet/IP Range should be “all”, with 0.0.0.0/0.0.0.0 as the address used. Note: To provide access to a single host or server, you would type an IP address like 172.16.10.2/32.
PAGE 48
Configuring SSL VPN event-logging Configuring a FortiGate SSL VPN 3 Cipher Strength Select one of the following options to determine the level of SSL encryption to use. The web browser on the remote client must be capable of matching the level that you select: • To use any cipher suite, select Any. • To use a 164-bit or greater cipher suite, select High >= 164. • To use a 128-bit or greater cipher suite, select Medium >= 128.
PAGE 49
Configuring a FortiGate SSL VPN Monitoring active SSL VPN sessions 4 If logs will be written to system memory, from the Log Level list, select Information. For more information, see the “Log & Report” chapter of the FortiGate Administration Guide. 5 Select Apply. To filter SSL VPN events 1 Go to Log&Report > Log Config > Event Log.
PAGE 50
Configuring SSL VPN bookmarks and bookmark groups Configuring a FortiGate SSL VPN Figure 7: Monitor list: Tunnel-mode connection Delete If required, you can end a session/connection by selecting the Delete button in the row that corresponds to the connection.
PAGE 51
Configuring a FortiGate SSL VPN Configuring SSL VPN bookmarks and bookmark groups • Viewing the SSL VPN Bookmark Groups list • Configuring SSL VPN bookmark groups Configuring SSL VPN bookmarks Go to VPN > SSL > Bookmark and select Create New to create hyperlinks to frequently accessed server applications. Figure 9: Create New Bookmark Bookmark Name Type the text to display in the hyperlink. The name is displayed in the Bookmarks list.
PAGE 52
Configuring SSL VPN bookmarks and bookmark groups Configuring a FortiGate SSL VPN • Viewing the SSL VPN Bookmark Groups list • Configuring SSL VPN bookmark groups Viewing the SSL VPN Bookmark Groups list You can create a group of specific bookmarks that can be included in the configuration of an SSL VPN user group. To view a list of bookmark groups, go to VPN > SSL > Bookmark Group.
PAGE 53
Configuring a FortiGate SSL VPN Configuring SSL VPN bookmarks and bookmark groups Name Type the name of the bookmark group. The name is displayed in the Bookmark Group list, and is a selection in the Bookmarks list in an SSL VPN user group. Available Bookmarks The list of bookmarks available for inclusion in the bookmark group. Lists bookmarks under appropriate category (FTP, RDP, SMB, Telnet, VNC, Web, or SSH). Used Bookmarks The list of bookmarks that belong to the bookmark group.
PAGE 54
SSL VPN host OS patch check Configuring a FortiGate SSL VPN SSL VPN host OS patch check SSLVPN Client OS Patch Check feature allows a client with a specific OS patch to access SSL VPN services. The host check only works on Windows platforms. This means that MacOS/Linux users can always logon (assuming they have the correct user name and password) as the patch check is not applied to them.
PAGE 55
Configuring a FortiGate SSL VPN Granting unique access permissions for SSL VPN tunnel user groups set tolerance 1 end config sslvpn-os-check-list "windows-xp" set action allow end set member "u1" set sslvpn-split-tunneling enable set sslvpn-http enable next end config firewall policy edit 1 set srcintf "internal" set dstintf "external" set srcaddr "all" set dstaddr "172.18.8.
PAGE 56
Granting unique access permissions for SSL VPN tunnel user groups Configuring a FortiGate SSL VPN Sample configuration for unique access permissions with tunnel mode user groups In this sample configuration, there are two user groups, each one with a dedicated IP address range. Note: The source address for both SSL VPN firewall policies can be left as ‘all’ when the users do not have static public IPs. First, you establish the tunnel IP range. Go to VPN > SSL, and enable SSL-VPN.
PAGE 57
Configuring a FortiGate SSL VPN Granting unique access permissions for SSL VPN tunnel user groups Go to User > User Group. Create group1 as an SSL VPN user group with user1 as the member and 10.1.1.1 - 10.1.1.50 as the values in ‘Restrict tunnel IP range for this group’. Figure 15: group1 user group attributes Create group2 as an SSL VPN user group with user2 as the member and 10.1.1.51 - 10.1.1.100 as the values in ‘Restrict tunnel IP range for this group’.
PAGE 58
Granting unique access permissions for SSL VPN tunnel user groups Configuring a FortiGate SSL VPN Figure 17: Source/destination firewall addresses - Public IP Figure 18: Source/destination firewall addresses - Linux/Windows PC After creating the source and destination addresses, go to Firewall > Policy to create the firewall policies. The policy for user1 is an SSL-VPN firewall policy that includes the applicable source and destination addresses, and has group1 as the user group attached to the policy.
PAGE 59
Configuring a FortiGate SSL VPN Granting unique access permissions for SSL VPN tunnel user groups Figure 19: user1 firewall policy The user2 policy is also an SSL-VPN firewall policy that includes the applicable source and destination addresses, and has group2 as the user group attached to the policy. Figure 20: user2 firewall policy To view the SSL VPN policies, go to Firewall > Policy. FortiOS v3.
PAGE 60
SSL VPN virtual interface (ssl.root) Configuring a FortiGate SSL VPN Figure 21: Firewall policy list To avoid overlap with other firewall policies, add a DENY policy below the SSL VPN policies (the source is the SSL VPN tunnel IP range). See Configuring firewall policies for more information. SSL VPN virtual interface (ssl.root) Configuration of the SSL VPN tunnel service involves a virtual interface, ssl., which functions much like an ipsec-virtual interface.
PAGE 61
Configuring a FortiGate SSL VPN SSL VPN virtual interface (ssl.root) Go to Firewall > Policy and select Create New to create a firewall policy. For a standard configuration, set up the firewall policies listed below. Authentication policy Source wan1 Source address all Destination internal Destination address internal subnet Action sslvpn Authentication ssl user group(s) Inbound access policy Source ssl.
PAGE 62
SSL VPN dropping connections Configuring a FortiGate SSL VPN Destination wan1 Destination address remote VPN subnet Action ipsec VPN tunnel SSL VPN dropping connections When a FortiGate unit has multiple internet connections, the SSLVPN client can connect to the SSLVPN web portal, but when attempting to click Connect to start tunnel mode SSLVPN, the tunnel will start up for a few seconds, then shut down.
PAGE 63
Configuring a FortiGate SSL VPN FortiOS v3.
PAGE 64
SSL VPN dropping connections 64 Configuring a FortiGate SSL VPN FortiOS v3.
PAGE 65
Working with the web portal Connecting to the FortiGate unit Working with the web portal This section introduces the web portal features and explains how to configure them.
PAGE 66
Web portal home page features Working with the web portal 4 5 When you are prompted for your user name and password: • In the Name field, type your user name. • In the Password field, type your password. Select Login. The FortiGate unit will redirect your web browser to the FortiGate SSL VPN Remote Access Web Portal home page automatically. Web portal home page features The FortiGate SSL VPN Remote Access Web Portal home page is displayed after you log in. 66 FortiOS v3.
PAGE 67
Working with the web portal Web portal home page features Figure 22: FortiGate SSL VPN Remote Access Web Portal page Logout Help Delete Edit If your user account permits web-only mode access, and your administrator has set up pre-defined bookmarks for you, they will appear in a list under Pre-defined Bookmarks. You can start any session from these hyperlinks, but you cannot change them.
PAGE 68
Launching web portal applications Working with the web portal In the Tools area, you can connect to a web server or start a telnet session. You can also check connectivity to a host or server on the network behind the FortiGate unit. For more information, see “Starting a session from the Tools area”. Launching web portal applications The FortiGate unit forwards client requests to servers on the Internet or internal network.
PAGE 69
Working with the web portal Launching web portal applications The encryption key is only valid for the current user session. Once the user logs out, the key is no longer valid. In the case of FTP and SMB, the path/filename is translated into its hex value for internal encoding purposes. The actual host ip is displayed. Other protocols are not supported. The CLI command related to the obfuscation technique is url-obscuration in config vpn ssl settings.
PAGE 70
Launching web portal applications Working with the web portal Title Type the text to display in the hyperlink. The name is displayed in the My Bookmarks list.
PAGE 71
Working with the web portal Launching web portal applications The FortiGate unit replaces the URL with https://:/proxy/http/ and the requested page is displayed. 7 To end the session, close the browser window. To add a telnet connection and start a telnet session 1 Select Add Bookmark. 2 In the Title field, type a name to represent the connection. 3 From the Application Type list, select Telnet.
PAGE 72
Launching web portal applications Working with the web portal 9 To end the session, select Disconnect (or type exit) and then close the TELNET connection window. To add an FTP connection and start an FTP session 72 1 Select Add Bookmark. 2 In the Title field, type a name to represent the connection. 3 From the Application Type list, select FTP. 4 In the Shared File Folder field, type the IP address of the FTP host as a root directory (for example, //10.10.10.10/). 5 Select OK.
PAGE 73
Working with the web portal Launching web portal applications After you log in, the files and subdirectories in the root directory are displayed. You can switch to a subdirectory from the root directory. For example, the following image shows the contents of a subdirectory named share.
PAGE 74
Launching web portal applications Working with the web portal 5 Select OK. 6 To start a SMB/CIFS session, select the hyperlink that you created. 7 When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in. 8 Select Login. After you log in, the root directory associated with your user or group account is displayed.
PAGE 75
Working with the web portal Launching web portal applications To add a VNC connection and start a VNC session 1 Select Add Bookmark. 2 In the Title field, type a name to represent the connection. 3 From the Application Type list, select VNC. 4 In the Host Name/IP field, type the IP address of the VNC host (for example, 10.10.10.10/). 5 Select OK. 6 To start a VNC session, select the hyperlink that you created.
PAGE 76
Launching web portal applications Working with the web portal To add a RDP connection and start a RDP session Note: You can specify a keyboard layout setting as a parameter when setting up the RDP connection. The format to enter the setting in “RDP to Host” is: • “yourserver.com -m fr” where ‘fr’ selects French as the Windows environment.
PAGE 77
Working with the web portal Launching web portal applications 6 To start a RDP session, select the hyperlink that you created. Note: The FortiGate unit may offer you its self-signed security certificate. Select Yes to proceed. A second message may be displayed to inform you of a host name mismatch. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. Select Yes to proceed. 7 When you see a screen configuration dialog, click OK.
PAGE 78
Launching web portal applications Working with the web portal To add a SSH connection and start a SSH session 1 Select Add Bookmark. 2 In the Title field, type a name to represent the connection. 3 From the Application Type list, select SSH. 4 In the Host Name/IP field, type the IP address of the SSH host (for example, 192.168.1.3). 5 Select OK. 6 To start a SSH session, select the hyperlink that you created. Note: The FortiGate unit may offer you its self-signed security certificate.
PAGE 79
Working with the web portal Launching web portal applications 8 A SSH session starts and you are prompted to log in to the remote host. You must have a user account to log in. After you log in, you may enter any series of valid commands at the system prompt. 9 To end the session, select Disconnect (or type exit) and then close the SSH connection window.
PAGE 80
Starting a session from the Tools area Working with the web portal Starting a session from the Tools area You can connect to any web server or telnet server without adding a bookmark to the My Bookmarks list. The fields in the Tools area enable you to specify the URL or IP address of the host computer. If required, you can ping a host computer behind the FortiGate unit to verify connectivity to that host.
PAGE 81
Working with the web portal Tunnel-mode features Figure 25: Fortinet SSL VPN Client 1.0 page (tunnel mode) Link Status The state of the SSL VPN tunnel: • Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established. • Down is displayed when a tunnel connection has not been initiated. Bytes Sent The number of bytes of data transmitted from the client to the FortiGate unit since the tunnel was established.
PAGE 82
Tunnel-mode features Working with the web portal To download and install the ActiveX/Java Platform plugin 1 At the top of the web portal home page, select the Activate SSL-VPN Tunnel Mode link. 2 The FortiGate unit may prompt you to install a Fortinet SSL VPN Client plugin. Follow the instructions provided to install ActiveX or Java Platform. Note: With Windows XP Service Pack 2, a yellow bar is displayed at the top of the screen.
PAGE 83
Working with the web portal Logging out 2 Select Connect. Figure 26: Tunnel established After the “Fortinet SSL VPN client connected to server” message is displayed and the Disconnect button is enabled (see Figure 26), you have direct access to the network behind the FortiGate unit, subject to the conditions of the FortiGate firewall policy.
PAGE 84
Logging out 84 Working with the web portal FortiOS v3.
PAGE 85
Index Index A ActiveX plugin downloading 81 uninstalling 83 applications, web-portal 68 authentication timeout setting 40 documentation commenting on 12 Fortinet 9 downloading Linux client 28 MacOS client 32 Windows client 25 B E bookmarks user-defined 69 establishing cifs session 73 establishing ftp session 72 establishing rdp session 76 establishing smb session 73 establishing vnc session 75 C certificates allow group certificate 47 self signed 65 X.
PAGE 86
Index K keyboard setting, rdp 76 L logging filtering SSL VPN events 51 setting event-logging parameters 50 viewing SSL VPN event logs 51 logging in to FortiGate secure HTTP gateway 65 logging out from web portal page 83 M modes of operation 7, 15 tunnel mode 17 web-only mode 15 My Bookmarks list 69 N network configuration 19 recommended 18 O obfuscation 68 OS host patch check 56 P patch check host OS 56 ping host from remote client 24, 80 port number for web-portal connections 38 R rdp keyboard setti
PAGE 87
Index V Virtual Desktop 21 downloading 21 running 21 using 21 vnc session, establishing 75 VPN tunnel, initiating 82 W web portal 69 adding caption to home page 40 applications 68 customizing login page 41 Fortinet SSL VPN Client area 80, 82 home page features 66 FortiOS v3.
PAGE 88
Index 88 FortiOS v3.
PAGE 89
www.fortinet.
PAGE 90
www.fortinet.