Network Router User Manual
Table Of Contents
- Contents
- Introduction
- Configuring a FortiGate SSL VPN
- Comparison of SSL and IPSec VPN technology
- SSL VPN modes of operation
- Topology
- Configuration overview
- Configuring the SSL VPN client
- Configuring SSL VPN settings
- Enabling SSL VPN connections and editing SSL VPN settings
- Specifying a port number for web portal connections
- Specifying an IP address range for tunnel-mode clients
- Enabling strong authentication through security certificates
- Specifying the cipher suite for SSL negotiations
- Setting the idle timeout setting
- Setting the client authentication timeout setting
- Adding a custom caption to the web portal home page
- Adding WINS and DNS services for clients
- Redirecting a user group to a popup window
- Customizing the web portal login page
- Configuring user accounts and SSL VPN user groups
- Configuring firewall policies
- Configuring SSL VPN event-logging
- Monitoring active SSL VPN sessions
- Configuring SSL VPN bookmarks and bookmark groups
- SSL VPN host OS patch check
- Granting unique access permissions for SSL VPN tunnel user groups
- SSL VPN virtual interface (ssl.root)
- SSL VPN dropping connections
- Working with the web portal
- Index
FortiOS v3.0 MR7 SSL VPN User Guide
46 01-30007-0348-20080718
Configuring firewall policies Configuring a FortiGate SSL VPN
Configuring tunnel-mode firewall policies
Follow the procedures in this section to complete a tunnel-mode configuration.
These procedures assume that you have already completed the procedures found
in “Configuring user accounts and SSL VPN user groups” on page 42.
When a remote client initiates a connection to the FortiGate unit, the FortiGate
unit authenticates the client and determines which mode of operation is in effect
for the user. When tunnel mode is enabled, the user can access the server
applications and network services on the internal network if required and/or
download and install an ActiveX plugin from the web portal. The ActiveX control
provides SSL VPN client software.
After the user adds the ActiveX plugin to the web browser on the remote client, the
user can start the SSL VPN client software to initiate an SSL VPN tunnel with the
FortiGate unit. The FortiGate unit establishes the tunnel with the SSL client and
assigns the client a virtual IP address. Afterward, the SSL client uses the assigned
virtual IP address as its source address for the duration of the session.
To configure the FortiGate unit to support tunnel-mode access, you perform the
following configuration tasks on the FortiGate unit:
• Specify the IP address(es) that can be assigned to the SSL VPN client when
they establish tunnels with the FortiGate unit.
• Define a firewall policy to support tunnel-mode operations.
A firewall policy specifies the originating (source) IP address of a packet and the
destination address defines the IP address of the intended recipient or network. In
this case, the source address corresponds to the IP address of the remote user
that will connect to the FortiGate unit, and the destination address corresponds to
the IP address(es) of the host(s), server(s), or network behind the FortiGate unit.
Configuring the firewall policy involves:
• specifying the source and destination IP addresses:
• The source address corresponds to the IP address of the remote user.
• The destination address corresponds to the IP address or addresses that
remote clients need to access. The destination address may correspond to
an entire private network, a range of private IP addresses, or the private IP
address of a server or host.
• specifying the level of SSL encryption to use and the authentication method
• binding the user group to the firewall policy
To specify the source IP address
1 Go to Firewall > Address and select Create New.
2 In the Address Name field, type a name that represents the IP address that is
permitted to set up SSL VPN connection.
Note: On the web browser, ensure that the security settings associated with the Internet
zone permit ActiveX controls to be downloaded and run.
Note: If your destination address, SSL encryption, and user group are the same
as for your web-only mode connection, you do not need to create a firewall policy
for tunnel mode. The FortiGate unit uses the web-only mode policy settings
except for the source address range, which it obtains from the tunnel IP range
settings.