Course 201 - Administration, Content Inspection and VPNs SSL VPN

SSL VPN
Module 5

2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C

Module Objectives

By the end of this module participants will be able to:

Identify the VPN technologies available on the FortiGate device
Configure the SSL VPN operating modes
Define user restrictions
Setup SSL VPN portals
Configure firewall policies and authentication rules for SSL VPNs

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

Virtual Private Networks (VPN)

Secure tunnel over an insecure network

Use when there is the need to transmit private data over a public
network
PC based, suitable for use when traveling

FortiGate VPN

SSL VPN IPSec VPN

Typically used to secure Well suited for network-
web transactions based legacy applications
VPN
HTTPS link created to Secure tunnel created
securely transmit between two host devices
application data between IPSec VPN can be
client and server configured between
Client signs on through FortiGate unit and most
secure web page (SSL third-party IPSec VPN
VPN portal) on the devices or clients
FortiGate device

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

SSL VPN Web-Only Mode

1. Connection of remote user to SSL VPN portal

(HTTPS Web Site)
2. Tunnel created
3. User authentication
4. Portal Web page presented
5. Click bookmark to access resource

SSL VPN Tunnel Mode

1. Connection of remote user to SSL VPN Portal

(HTTPS Web Site)
2. Tunnel created
3. Authenticate
4. Portal Web page presented
5. Access Resources

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

User Groups

Web mode and tunnel mode both require a firewall policy for
authentication
Tunnel mode requires additional policies to allow internal network
access
Mode(s) user has access to is determined by authentication policy
Determines the portal page users are presented

Authentication

Username and Password (one factor)

+
FortiToken (two factor)

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

SSL VPN Server Certificate

Certificate presented to client initiating SSL VPN session

FortiGate device uses a self-signed certificate by default

User certificates issued by trusted Certificate Authority to avoid web

browser security warnings

Encryption Key Algorithm

Level of encryption used for SSL VPN connections

High, Default, Low
The default setting is RC4 (128 bits) and higher
If set to High, SSL VPN connections with clients that cannot meet this
standard will fail

10

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

Web Portal Interface

Web page displayed when client logs into SSL VPN

Includes widgets to access functionality on the portal (such as
bookmarks and connection tools)
Software download option for tunnel mode
Default SSL VPN web portal page is accessible at:
https://<FortiGate IP address>

11

Full-Access Web Portal Interface

12

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

Tunnel Mode Split-Tunneling

Only traffic destined for the tunnel IP range network will be routed over
the SSL VPN
If access to another inside network is desired, the client will need to
create a static route pointing to their own SSL VPN interface
Associated firewall policies must exist

13

Client Integrity Checking

SSL VPN gateway checks client system

Detects client protection applications (for example, antivirus and
personal firewall)
Determines state of applications (active/inactive, current version
number and signature updates)
Examples include: Cisco Network Admission Control (NAC), MS
Network Access Protection (NAP), Trusted Computing Groups
(TCG) Trusted Network Connect

14

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

Client Host Checking

Relies on external vendors to ensure client integrity (not

implemented by all SSL VPN vendors)
Requires administrators to determine appropriate version/signature
versions and policy
Easily outdated, limiting the protection provided
Checks to see if required software is installed on the connecting
PC, otherwise connection is refused
CLI only
config vpn ssl web portal
edit (portal name)
set host-check [av|av-fw|custom|fw]
set host-check-interval [# seconds]
end
15

SSL VPN Tunnel Mode Connection

A new network connection called fortissl is created

The connection obtains a virtual IP address
This virtual adapter becomes the preferred default route if split tunneling is
disabled
The web portal page will display the status of the SSL VPN client
ActiveX control
The portal web page must remain open for the tunnel to function

16

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

SSL VPN Client Port Forward

Port Forward mode extends applications supported by Web

Application Mode
Application Types (some examples):
PortForward: for generic port forward application
Citrix: for Citrix server web interface access
RDPNative: for Microsoft Windows native RDP client over port forward
etc.

17

SSL-VPN Policy De-Authentication

Firewall policy authentication session is associated with SSL VPN

tunnel session
Forces expiration of firewall policy authentication session when
associated SSL VPN tunnel session is ended by user
Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a
different user after the initial user terminates their SSL VPN tunnel session

18

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

SSL VPN Access Modes

Web Mode Tunnel Mode Port Forward Mode

No client software Uses FortiGate-specific Java applet works as a

required (web browser
only)
Reverse proxy rewriting
of HTTP, HTTPS, FTP,
SAMBA (CIFS)
Java applets for RDP,
VNC, TELNET, SSH
client downloaded to PC
(ActiveX or Java applet)
Requires admin/root
privilege to install layer-
3 tunnel adaptor
local proxy to intercept
specific TCP port traffic
then encrypt in SSL
Downloaded to client PC
and installed without
admin/root privileges
Client App must point to
Java applet

19

Configuration

Step 1: Configure the Settings

IP Pool, Certificate, Port,
VPN > SSL > Config
Step 2: Configure your Portals for user access
Web or Tunnel mode access, bookmarks,
VPN > SSL > Portal
Step 3: Decide Split Tunneling or not
In Portal Config
Step 4: Setup Firewall VPN policy for access

20

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

Configuration

21

Labs

Lab 1: SSL VPN

Ex 1: Configuring SSL VPN for Web Access
Ex 2: Configuring SSL VPN for Tunnel Mode

22

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN

Classroom Lab Topology

23

01-50000-0201-20130215-C