Fortinet FORTIOS MR7 User Manual

USER GUIDE

FortiOS v3.0 MR7 SSL VPN User Guide

www.fortinet.com

FortiGate v3.0 MR7 SSL VPN User Guide

18 July 2008 01-30007-0348-20080718

© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

ABACAS, APSecure, FortiASIC, FortiAnalyzer, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Introduction........................................................................................ 7

About FortiGate SSL VPN................................................................................. 7

About this document......................................................................................... 8

Document conventions.................................................................................. 8

Typographic conventions........................... ....................................... ...... 9

FortiGate documentation.................................................................................. 9

Related documentation................................................................................... 10

FortiManager documentation. ... .... ... ... ... .... ... ... ... ... ....... ... ... .... ... ... ... ... .... ... . 10

FortiClient documentation ........................................................................... 11

FortiMail documentation................... ... ... ....................................... .............. 11

FortiAnalyzer documentation ...................................................................... 11

Fortinet Tools and Documentation CD........................................................ 11

Fortinet Knowledge Center ........................................................................ 11

Comments on Fortinet technical documentation ................................ ........ 12

Customer service and technical support...................................................... 12

Configuring a FortiGate SSL VPN .................................................. 13

Comparison of SSL and IPSec VPN technology........................................... 13

Legacy versus web-enabled applications............................................. 14

Authentication differences .................................................................... 14

Connectivity considerations.................................................................. 14

Relative ease of use............................................................................. 14

Client software requirements................................................................ 14

Access control ...................................................................................... 14

Session failover support ....................................................................... 15

SSL VPN modes of operation......................................................................... 15

Web-only mode ............................... ... ... .... ... ... ... ... ..................................... 15

Web-only mode client requirements .................................................... 16

Port-forwarding mode.......... ... ... .... ...................................... ........................ 16

Client requirements............................................................................... 17

Tunnel mode .............................................................................................. 17

Tunnel-mode client requirements ........................................................ 18

Topology........................................................................................................... 18

Infrastructure requirements .......................... ............. .......... ............. .... 19

Configuration overview................................................................................... 20

Configuring the SSL VPN client..................................................................... 20

SSL VPN Virtual Desktop application. ........................................................ 21

Using the SSL VPN Virtual Desktop..................................................... 21

Using the SSL VPN standalone tunnel clients...................................... 24

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 3

Contents

Configuring SSL VPN settings...... ... ... .... ... ... ... ... .... ... ... ....... ... ... ... ... .... ... ... ... . 36

Enabling SSL VPN connections and editing SSL VPN settings ................ 36

Specifying a port number for web portal connections ................................ 38

Specifying an IP address range for tunnel-mode clients ............................ 38

Enabling strong authentication through security certificates ...................... 39

Specifying the cipher suite for SSL negotiations ........................................ 39

Setting the idle timeout setting ................................................................... 40

Setting the client authentication timeout setting ......................................... 40

Adding a custom caption to the web portal home page ............... .... ... ... ... . 40

Adding WINS and DNS services for clients ................................................ 40

Redirecting a user group to a popup window ............................................. 40

Customizing the web portal login page ...................................................... 41

Configuring user accounts and SSL VPN user groups............................... 42

Configuring firewall policies .......................................................................... 45

Configuring firewall addresses ............................................................ 46

Configuring Web-only firewall policies.................................................. 46

Configuring pass through for port-forwarding mode............................. 48

Configuring tunnel-mode firewall policies ..................... ....................... 48

Configuring SSL VPN event-logging ..................... ...... ... .... ... ... ... ... .... ... ... ... . 50

Monitoring active SSL VPN sessions ........................................................... 51

Configuring SSL VPN bookmarks and bookmark groups........................... 52

Viewing the SSL VPN bookmark list........................................................... 52

Configuring SSL VPN bookmarks............................................................... 53

Viewing the SSL VPN Bookmark Groups list.............................................. 54

Configuring SSL VPN bookmark groups..................................................... 54

Assigning SSL VPN bookmark groups to SSL VPN users ......................... 55

SSL VPN host OS patch check....................................................................... 56

Configuration Example......................................................................... 56

Granting unique access permissions for SSL VPN tunnel user groups.... 57

Sample configuration for unique access permissions with tunnel mode user

groups......................................................................................................... 58

SSL VPN virtual interface (ssl.root)............................................................... 62

SSL VPN dropping connections .................................................................... 64

Working with the web portal........................................................... 65

Connecting to the FortiGate unit .................................................................. 65

Web portal home page features .................................................................... 66

Launching web portal applications .............................................................. 68

URL re-writing....................................................................................... 68

Adding a bookmark to the My Bookmarks list ............................................ 69

Starting a session from the Tools area ........................................................ 80

FortiOS v3.0 MR7 SSL VPN User Guide

4 01-30007-0348-20080718

Contents

Tunnel-mode features .................................................................................... 80

Working with the ActiveX/Java Platform plug-in .............. .......................... . 81

Uninstalling the ActiveX/Java Platform plugin .............................. .............. 83

Logging out ..................................................................................................... 83

Index.................................................................................................. 85

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 5

Contents

FortiOS v3.0 MR7 SSL VPN User Guide

6 01-30007-0348-20080718

Introduction About FortiGate SSL VPN

Introduction

This section introduces you to FortiGate™ Secure Sockets Layer (SSL) VPN technology and provides supplementary information about Fort inet™ publications.

The following topics are included in this section:

• About FortiGate SSL VPN

• About this document

• FortiGate documentation

• Related documentation

• Customer service and technical support

About FortiGate SSL VPN

FortiGate SSL VPN technology makes it safe to do business over the Internet. In addition to encrypting and securing information sent from a web browse r to a web server, FortiGate SSL VPN can be used to encrypt most Internet-based traffic.

With the FortiGate unit’s built-in SSL VPN capabilities, small home offices, medium-sized businesses, enterprises, and service providers can ensure the confidentiality and integrity of data transmitted over the Internet. The FortiGate unit provides enhanced authentication and restricted access to company network resources and services.

The two modes of SSL VPN operation, supported in NAT/Route mode only, are:

• web-only mode, for thin remote clients equipped with a web browser only

• tunnel mode, for remote computers that run a variety of client and server applications

When the FortiGate unit provides services in web -on l y mode , a secure web connection between the remote client and the FortiGate unit is established using the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal.

Where users have complete administrative rights over their computers and use a variety of applications, tunnel mode allows remote clients to access the local internal network as if they were connected to the network directly. In tunnel mode, a secure SSL connection is established initially for the FortiGate unit to download SSL VPN client software (an ActiveX plugin) to the web browser. After the user installs the SSL VPN client software, they can initiate a VPN tunnel with the FortiGate unit whenever the SSL connection is open.

When the SSL VPN feature is used, all client traffic is encrypted and sent to the SSL VPN. This includes both traffic intended for the private network and Internet traffic that is normally sent unencrypted. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves ban dwith and alleviates bottlenecks. The split tunneling feature is not enabled by default.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 7

About this document Introduction

Whether to use web-only or tunnel mode depends on the number and type of applications installed on the remote computer. Access to any application not supported through web-only mode can be supported through tunnel mode. For more information about these modes of operation, see “Configuring a FortiGate

SSL VPN” on page 13.

About this document

This document explains how to configure SSL VPN operation using the webbased manager and contains the following chapters:

• Configuring a FortiGate SSL VPN describes the two modes of operation, recommends a deployment topology, and provides an overview of the associated infrastructure dependencies. The high-level steps for configuring each mode of operation are also included with cross-references to underlying procedures. This chapter also details the basic administrative tasks needed to support the two modes of operation, and describes the additional step -by- step procedures needed to configure each mode.

• Working with the web portal introduces the web portal applications and explains how to work with them. The chapter also explains how to install the ActiveX plugin and initiate a VPN tunnel when tunnel mode is enabled.

Document conventions

The following document conventions are used in this guide:

• In the examples, private IP addresses are used for both private and public IP addresses.

• Notes and Cautions are used to provide important information:

Note: Highlights useful additional information.

Caution: Warns you about commands or procedures that could have unexpected or

undesirable results including loss of data or damage to equipment.

FortiOS v3.0 MR7 SSL VPN User Guide

8 01-30007-0348-20080718

Introduction FortiGate documentation

Typographic conventions

FortiGate documentation uses the following typographical conventions:

Convention Example Keyboard input

Code examples config sys global

CLI command syntax config firewall policy

Document names File content <HTML><HEAD><TITLE>Firewall

Menu commands Go to VPN > SSL > Config. Program output Welcome! Variables <group_name>

In the Name field, type admin.

set ips-open enable

end

edit id_integer

set http_retry_count <retry_integer> set natip <address_ipv4mask>

end

FortiGate SSL VPN User Guide

Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4>

FortiGate documentation

The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.

The following FortiGate product documentation is available:

• FortiGate QuickStart Guide

Provides basic information about connecting and installing a FortiGate unit.

• FortiGate Installation Guide

Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.

• FortiGate Administration Guide

Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protec tion , we b c onte n t filter ing , an d spam filtering; and how to configure a VPN.

• FortiGate online help Provides a context-sensitive and searchable version of the Administration

Guide in HTML format. You can access online help from the web-based

manager as you work.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 9

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.

FortiOS v3.0 MR7 SSL VPN User Guide

12 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Comparison of SSL and IPSec VPN technology

Configuring a FortiGate SSL VPN

This section provides a comparison of SSL and IPSec VPN technology, in addition to an overview of the two modes of SSL VPN operation. The high-level steps for configuring each mode are also included with cross-references to underlying procedures.

The following topics are included in this section:

• Comparison of SSL and IPSec VPN technology

• SSL VPN modes of operation

• Topology

• Configuration overview

• Configuring SSL VPN settings

• Configuring user accounts and SSL VPN user groups

• Configuring firewall policies

• Configuring SSL VPN event-logging

• Monitoring active SSL VPN sessions

• Configuring SSL VPN bookmarks and bookmark groups

• SSL VPN host OS patch check

• Granting unique access permissions for SSL VPN tunnel user groups

• SSL VPN virtual interface (ssl.root)

• SSL VPN dropping connections

Comparison of SSL and IPSec VPN technology

The FortiGate unit supports both SSL and IPSec VPN technologies. Each combines encryption and VPN gateway functions to create private comm unication channels over the Internet, which helps to defray physical network costs. Both enable you to define and deploy network access and firewall policies using a single management tool. In addition, both support a simple client/user authentication process (including optional X.509 security certificates). You have the freedom to use both technologies; however, one may be better suited to the requirements of your situation.

In general, IPSec VPNs are a good choice for site-to-site connections where appliance-based firewalls are used to provide network protection, and company sanctioned client computers are issued to users. SSL VPNs are a good ch oice for roaming users who depend on a wide variety of thin-client computers to access enterprise applications and/or company resources from a remote location.

SSL and IPSec VPN tunnels may operate simultaneously on the same FortiGate unit.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 13

Comparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPN

Legacy versus web-enabled applications

IPSec is well suited to network-based legacy applications tha t are not web-base d. As a layer 3 technology, IPSec creates a secure tunnel between two host devices. IP packets are encapsulated by the VPN clie nt and server softwar e running on the hosts.

SSL is typically used for secure web transactions in order to take advantage of web-enabled IP applications. After a secure HTTP link has been established between the web browser and web server, application data is transmitted directly between selected client and server applications through the tunnel.

Authentication differences

IPSec is a well-established technology with robust features that support many legacy products such as smart cards and biometrics.

SSL supports sign-on to a web portal front-end, from which a number of different enterprise applications may be accessed. The Fortinet implementation enables you to assign a specific port for the web portal and to customize the login page if desired.

Connectivity considerations

IPSec supports multiple connections to the same VPN tunnel—a number of remote VPN devices effectively become part of the same network.

SSL forms a connection between two end points such as a remote client and an enterprise network. Transactions involving three (or more) parties are not supported because traffic passes between client and server applications only.

Relative ease of use

Although managing IPSec VPNs has become easier, configuring SSL VPNs is simple in comparison. IPSec protocols may be blocked or restricted by some companies, hotels, and other public places, whereas the SSL protocol is usually unrestricted.

Client software requirements

Dedicated IPSec VPN software must be installed on all IPSec VPN peers and clients and the software has to be configured with compatible settings.

To access server-side applications with SSL VPN, the remote user must have a web browser (Internet Explorer, Netscape, or Mozilla/Firefox), and if Telnet//RDP are used, Sun Java runtime environment. Tunnel-mode clie nt computers must also have ActiveX (IE) or Java Platform (Mozilla/Firefox) enabled.

Access control

IPSec VPNs provide secure network access only. Access to the network resources on a corporate IPSec VPN can be enabled for specific IPSec peers and/or clients. The amount of security that can be applied to users is limited.

FortiOS v3.0 MR7 SSL VPN User Guide

14 01-30007-0348-20080718

Configuring a FortiGate SSL VPN SSL VPN modes of operation

SSL VPNs provide secure access to certain applications. Web-only mode provides remote users with access to server applications from any thin client computer equipped with a web browser. Tunnel-mode provides remote users with the ability to connect to the internal network from laptop computers as well as airport kiosks, Internet cafes, and hote ls. Access to SSL VPN applications is controlled through user groups.

Session failover support

In a FortiGate high availability (HA) cluster with session pickup enabled, session failover is supported for IPSec VPN tunnels. After an HA failover, IPSec VPN tunnel sessions will continue with no loss of data.

Session failover is not supported by SSL VPN tunnels, however cookie failover is supported for communication between the SSL VPN client and the FortiGate unit. This means that after a failover, the SSL VPN client can re-establish the SSL VPN session without having to authenticate again. However, all sessions inside the SSL VPN tunnel with resources behind the FortiGate unit will stop, and will therefore have to be restarted.

SSL VPN modes of operation

When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on user name, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode (see “Web-only mode” on page 15) or tunnel mode (see “Tunnel mode” on page 17).

You can enable a client integrity checker to scan the remote client. The integrity checker probes the remote client computer to verify that it is “safe” before access is granted. Security attributes recorded on the client computer (for example, in the Windows registry, in specific files, or held in memory due to running processes) are examined and uploaded to the FortiGate unit.

You can enable a cache cleaner to remove any sensitive data that would otherwise remain on the remote computer after the session e nds. For example, all cache entries, browser history, cookies, encrypted information related to user authentication, and any temporary data generated during the session are removed from the remote computer. If the client’s browser cannot install and run the cache cleaner, the user is not allowed to access the SSL-VPN portal.

Web-only mode

Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. Web-only mode offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java runtime envi ro nm ent .

Support for SSL VPN web-only mode is built into the FortiOS operating system. The feature comprises an SSL daemon running on the FortiGate unit, and a web portal, which provides users with access to network ser vice s an d reso ur ce s including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 15

SSL VPN modes of operation Configuring a FortiGate SSL VPN

In web-only mode, the FortiGate unit act s as a se cure HTTP/HT TPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.

Configuring the FortiGate unit involves selecting web-only-mode access in the user group settings and enabling the feature through SSL VPN configuration settings. The user group settings determine which server applications can be accessed. SSL encryption is used to ensure traffic confidentiality.

Web-only mode client requirements

The remote client computer must be equipped with the following softwa re:

• Microsoft Windows 2000/XP/2003/Vista, Linux, MacOS X, or UNIX operating system

• Microsoft Internet Explorer 6.0 (or later), Netscape Navigator 7.0 (or later), Mozilla Foundation/Firefox 1.5 (or later), or Apple Safari 1.3 (or later)

• If Telnet/ or RDP are us ed , Sun Java run tim e env iro nm e nt 1.4 (o r lat er ), with Java applet access, JavaScript acces s, an d en a ble d co ok ie acc ep tance

Tunnel mode

Note: Web browsers offer different SSL security capabilities. The FortiGate unit offers an

SSL version 2 option through the CLI if required to support older browsers. In addition, the FortiGate unit supports a range of cipher suites for negotiating SSL communications with a variety of web browsers. The web browser must at least support a 64-bit cipher length.

Tunnel mode offers remote users the freedom to connect to the internal network using the traditional means of web-based access from laptop computers, as well as from airport kiosks, hotel business centers, and Internet cafés. If the applications on the client computers used by your user community vary greatly, you can deploy a dedicated SSL VPN client to any remote client through its web browser. The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the web browser and the FortiGate unit. Also available is split tunneling, which ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves bandwith and alleviates bottlenecks.

In tunnel mode, remote clients connect to FortiGate unit and the web portal login page using Microsoft Internet Explorer, Mozilla Foundation/Firefox, MacOS, or Linux. The FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page. The user can then download the SSL VPN client (an ActiveX or Java plugin) and install it using controls provided through the web portal. SSL VPN tunnel mode can also be initiated from a standalone application on Windows/MacOS, and Unix.

FortiOS v3.0 MR7 SSL VPN User Guide

16 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Topology

When the user initiates a VPN connection with the FortiGate unit throu gh the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of rese rved addresses. The clie nt uses the assigned IP address as its source address for the duration of the connection. Af ter the tunnel has been established, the user can access the network behind the FortiGate unit.

Configuring the FortiGate unit to establish a tunnel with remote clients involves selecting tunnel-mode access in the user group settings and enabling the feature through SSL VPN configuration settings. The firewall policy and pr otection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.

Tunnel-mode client requirements

The remote computer must be equipped with the following software:

• Microsoft Windows 2000/XP/2003 or Vista (32 or 64-bit), MacOS X v10.3.9, v10.4 “Tiger”, v10.5 “Leopard”, or Linux Distributions RedHat/Fedora, Ubuntu/Debian, or Suse

• Microsoft Internet Explorer 6.0 (or later) with ActiveX enabled, or Mozilla Foundation/Firefox (1.5 or later) with Java Platform enabled

Topology

Note: The browser requirements only apply if you use the tunnel mode client on Windows

through the browser interface. You do not need a browser if you use the standalone tunnel client.

Note: The user account used to install the SSL VPN client on the remote computer must have administrator privileges.

In the most common Internet scenario, the remote client connects to an ISP that offers connections with dynamically assigned IP addresses. The ISP forwards packets from the remote client to the Internet, where they are routed to the public interface of the FortiGate unit.

At the FortiGate unit, you configure user groups and firewall policies to define the server applications and IP address range or network that remote clients will be able to access behind the FortiGate unit.

For example, Figure 1 shows a FortiGate gateway (FortiGate_1) to two private networks, Subnet_1 and Subnet_2.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 17

Topology Configuring a FortiGate SSL VPN

Subnet_2

192.168.22.0/24

internal

192.168.22.1

Subnet_1

172.16.10.0/24

HTTP/HTTPS

172.16.10.2

Tel net

172.16.10.3

FTP

172.16.10.4

SMB/CIFS

172.16.10.5

Internet

FortiGate_1

wan1

dmz

172.16.10.1

Remote client

Figure 1: Example SSL VPN configuration

To provide remote clients with access to all of the servers on Subnet_1 from the Internet, you would configure FortiGate_1 as follows:

• Create an SSL VPN user group and include the remote users in the user group. When you create the user group, you also specify whether the users may access the web portal in web-only mode or tunnel mode.

• For tunnel-mode users, define the virtua l IP add re sse s th at the Fo rtiGa te un i t is to assign to remote clients when they connect.

• Create a firewall destination IP address of 172.16.10.0/24.

• Create a firewall policy to allow the SSL VPN user group members to connect to Subnet_1 through the VPN. For more information, see “Configuring firewall

policies” on page 45.

If your user community needs access to Subnet_2, you would create a second firewall destination IP address of 192.168.22.0/24 and create a second firewall policy that binds the associated remote clients to the Subnet_2 destination address.

Infrastructure requirements

• The FortiGate unit must be operating in NAT/Route mode and have a static public IP address.

• The ISP assigns IP addresses to remote clients before they connect to the FortiGate unit.

• If the remote clients need web-only mode access, see “Web-only mode client

requirements” on page 16.

• If the remote clients need tunnel-mode access, see “Tunnel-mode client

requirements” on page 18.

FortiOS v3.0 MR7 SSL VPN User Guide

18 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Configuration overview

Configuration overview

Before you begin, install your choice of HTTP/HTTPS, telnet, SSH, FTP, SMB/CIFS, VNC, and/or RDP server applications on the internal network. As an alternative, these services may be accessed remotely through the Internet. All services must be running. Users must have individual user accounts to access the servers (these user accounts are not related to FortiGate user accounts or FortiGate user groups).

To configure FortiGate SSL VPN technology, you should follow these genera l steps:

1 Enable SSL VPN connections and set the basic options needed to support SSL

VPN configurations. See “Configuring SSL VPN settings” on page 36.

2 To use X.509 security certificates for authentication purposes, load the signed

server certificate, CA root certificate, and Certificate Revocation List (CRL) onto the FortiGate unit, and load the personal/group certificates onto the remote clients. For more information, see the FortiGate Certificate Management User

Guide.

3 Create one FortiGate user account for each remote client, a nd assign the users to

SSL VPN type user groups. See “Configuring user accounts and SSL VPN user

groups” on page 42.

4 Configure the firewall policy and the remaining para meter s nee de d to suppor t th e

required mode of operation:

• For web-only mode operation, see “Configuring Web-only firewall policies” on

page 46.

• For tunnel-mode operation, see “Configuring tunnel-mode firewall policies” on

page 48.

5 Define SSL VPN event-logging parameters. See “Configuring SSL VPN event-

logging” on page 50.

6 You can also monitor active SSL VPN sessions. See “Monitoring active SSL VPN

sessions” on page 51.

Configuring the SSL VPN client

There are several configurations of SSL VPN applications available. The SSL VPN tunnel client application installs a network driver on the client machine that redirects all network traffic through the SSL VPN tunnel (it is necessary for the driver to be OS-specific).

SSL VPN web-mode works on all OSs and browsers. The tunnel mode client can be downloaded and installed from the browser interface on Windows platforms through ActiveX for IE, or Firefox plug-ins. If you prefer not to initiate the tunnel mode client function using a browser, standalone SSL VPN tunnel client applications are available for Windows, Linux, and MacOS (see Tunnel-mode

client requirements for the specific versions that are supported). When a system

configuration must involve more secure disposal of cached data, the SSL VPN Virtual Desktop should be used. (Windows XP only).

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 19

Configuring the SSL VPN client Configuring a FortiGate SSL VPN

SSL VPN Virtual Desktop application.

The virtual desktop application creates a virtual desktop on a user's PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the ssl vpn web portal. The browser file/directory operation is redirected to a new location, and the data is encrypted before it is written to the local disk. When the virtual desktop application exits normally, all the data written to the disk is removed. If the session terminates abnormally (power loss, system failure), the data left behind is encrypted and unusable to the user. The next time you start the virtual desktop, the encrypted data is removed.

Using the SSL VPN Virtual Desktop

On the FortiGate unit GUI under SSL VPN User Group Options, the 'Require Virtual Desktop Connection' option is not selected by default. If you choose to use the SSL VPN virtual desktop option, users are forced to use the virtual desktop to initiate a SSL VPN session. The user must install the FortiClient SSL VPN virtual desktop application on the client machine and run it. If a user attempt s to establish a VPN connection that does not use the virtual desktop, the connection is refu sed.

The most recent version of the SSL VPN virtual desktop application can be found at:

http://support.fortinet.com/

Windows XP is supported in the current release.

To download and run the SSL VPN Virtual Desktop application

1 Go to the Fortinet Technologies home page at http://support.fortinet.com/

select Support.

2 Under Support, enter your user name and password.

This takes you to the Fortinet customer support site.

3 Select Firmware Images and then FortiGate.

and

FortiOS v3.0 MR7 SSL VPN User Guide

20 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Configuring the SSL VPN client

The FortiGate index page opens.

4 Select v3.0 and then MR7.

This takes you to the page with firmware images for MR7.

5 Select SSL VPN Clients.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 21

Configuring the SSL VPN client Configuring a FortiGate SSL VPN

6 To download the SSL VPN Virtual Desktop, select

SSLVPNVirtualDesktopSetup_3.0.384.exe and follow the InstallShield Wizard instructions.

Figure 2: FortiClient SSL VPN InstallShield Wizard welcome screen

7 To run the SSL VPN Virtual Desktop application, select Start > All Programs >

FortiNet > SSL VPN Virtual Desktop > SSL VPN Virtual Desktop.

The FortiGate unit may offer you a self-signed security certificate. If you are prompted to proceed, select Yes.

8 When you are prompted for your user name and password:

• In the Name field, type your user name.

• In the Password field, type your password.

9 Select Login.

FortiOS v3.0 MR7 SSL VPN User Guide

22 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Configuring the SSL VPN client

The FortiGate unit will redirect your web browser to the FortiGate SSL VPN Remote Access Web Portal home p age automatically.

The fields in the Tools area enable you to specify the URL or IP address of a host computer. If required, you can ping a host computer behind the FortiGate unit to verify connectivity to that host.

To connect to a web server from the Tools area

1 In the Connect to Web Server field, type the URL of the web server (for example,

http://www.mywebexample.com or https://172.20.120.101).

2 Select Go.

The FortiGate unit replaces the URL with https://<FG_IP_address>:<port_no>/proxy/http/<specified_URL> and the requested page is displayed.

3 To end the session, close the browser window.

To ping a host or server behind the FortiGate unit

1 In the Test for Reachability (Ping) field, type the IP address of the host or server

that you want to reach (for example, 192.168.12.22).

2 Select Go.

A message stating whether the IP address can be reached or not is disp layed.

Using the SSL VPN standalone tunnel clients

SSL VPN standalone tunnel client applications are available for Windows, Linux, and MacOS systems (see Tunnel-mode client requirements for the specific versions that are supported). There are separate download files for each operating system.

The most recent version of the SSL VPN standalone client applications can be found at:

http://support.fortinet.com/

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 23

Configuring the SSL VPN client Configuring a FortiGate SSL VPN

To download the SSL VPN standalone tunnel client (Windows)

1 Go to the Fortinet Technologies home page at http://support.fortinet.com/

select Support.

2 Under Support, enter your user name and password.

This takes you to the Fortinet customer support site.

3 Select Firmware Images and then FortiGate.

Figure 3: Firmware Images selection on Fortinet customer support site

The FortiGate index page opens.

and

Figure 4: FortiGate index page

4 Select v3.0 and then MR7.

FortiOS v3.0 MR7 SSL VPN User Guide

24 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Configuring the SSL VPN client

This takes you to the page with firmware images for MR7.

5 Select SSL VPN Clients.

6 To download the SSL VPN Windows client application, select

FortiClientSSLVPNSetup_3.0.384.exe or FortiClientSSLVPN_3.0_384.msi and follow the InstallShield Wizard

instructions.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 25

Configuring the SSL VPN client Configuring a FortiGate SSL VPN

To use the SSL VPN standalone tunnel client (Windows)

1 Go to Start > All Programs > Fortinet > FortiClient SSL VPN >

FortiClient SSL VPN.

Server Address Enter the IP address of the server you need to access. Username Enter your user name. Password Enter the password associated with your user account. Expand button Select to expand the dialog box and display Client Certificate,

Client Certificate Select the authentication certificate from the drop-down list, if

Save user name and password

Keep connection alive until manually stopped

Save user name and password, and Keep connection alive until manually stopped.

required. Select to save the value in Username and Password for future

logins. Select to have the connection stay up until you log out.

2 Select Connect. 3 To manually terminate the connection, select Exit.

To uninstall the SSL VPN standalone tunnel client (Windows)

1 Go to Start > Control Panel. 2 Select Add or Remove Programs. 3 Select ‘FortiClient SSL VPN’ and then Remove.

FortiOS v3.0 MR7 SSL VPN User Guide

26 01-30007-0348-20080718

Configuring a FortiGate SSL VPN Configuring the SSL VPN client

To download the SSL VPN standalone tunnel client (Linux)

1 Go to the Fortinet Technologies home page at http://support.fortinet.com/

and

select Support.

2 Under Support, enter your user name and password.

This takes you to the Fortinet customer support site.

3 Select Firmware Images and then FortiGate.

The FortiGate index page opens.

4 Select v3.0 and then MR7.

FortiOS v3.0 MR7 SSL VPN User Guide 01-30007-0348-20080718 27

+ 63 hidden pages

Fortinet FORTIOS MR7 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Introduction

About FortiGate SSL VPN

About this document

Document conventions

Typographic conventions

FortiGate documentation

Related documentation

FortiManager documentation

FortiClient documentation

FortiMail documentation

FortiAnalyzer documentation

Fortinet Tools and Documentation CD

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

Configuring a FortiGate SSL VPN

Comparison of SSL and IPSec VPN technology

Legacy versus web-enabled applications

Authentication differences

Connectivity considerations

Relative ease of use

Client software requirements

Access control

Session failover support

SSL VPN modes of operation

Web-only mode

Web-only mode client requirements

Tunnel mode

Tunnel-mode client requirements

Topology

Infrastructure requirements

Configuration overview

Configuring the SSL VPN client

SSL VPN Virtual Desktop application.

Using the SSL VPN Virtual Desktop

Using the SSL VPN standalone tunnel clients