ssl vpn. module objectives by the end of this module participants will be able to: identify the vpn...
TRANSCRIPT
![Page 1: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/1.jpg)
SSL VPN
![Page 2: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/2.jpg)
Module Objectives
• By the end of this module participants will be able to:• Identify the VPN technologies available on the
FortiGate device
• Identify and configure the SSL VPN operating modes
• Define an SSL VPN user group
• Configure SSL VPN portals
• Configure firewall policies and authentication rules for SSL VPNs
![Page 3: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/3.jpg)
Virtual Private Networks (VPN)
CorporateOffice
BranchOffice
VPN
![Page 4: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/4.jpg)
Virtual Private Networks (VPN)
CorporateOffice
BranchOffice
VPN
•Use public network to provide access to private network• Create secure tunnel to protect data transferred between offices, or allow users to access private data from remote locations
![Page 5: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/5.jpg)
FortiGate VPN
•Typically used to secure web transactions•HTTPS link created to securely transmit application data between client and server•Client signs on through secure web page (SSL VPN portal) on the FortiGate device
VPN
SSL VPN
•Well suited for network-based legacy applications•Secure tunnel created between two host devices• IPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients
IPSec VPN
![Page 6: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/6.jpg)
SSL VPN Web-Only Mode
Connection of remote user to SSL VPN Portal (HTTPS Web Site)Tunnel created
AuthenticatePortal web page presented
Click bookmark to access resource
Click here to read more about FortiGate SSL VPN operating modes
![Page 7: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/7.jpg)
SSL VPN Tunnel Mode
Enter URL of SSL VPN Portal
Tunnel created
Authenticate
Portal web page presented
Fortinet SSL VPN Client downloaded
Click here to read more about FortiGate SSL VPN operating modes
Resources accessed
![Page 8: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/8.jpg)
User Groups
Allow SSL-VPN Access
LondonChicagoParis
Firewall user group
![Page 9: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/9.jpg)
Authentication
Username and Password (one factor)
FortiToken (two factor)+
![Page 10: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/10.jpg)
Portals
LondonChicagoParis
Web access Tunnel access Full access
![Page 11: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/11.jpg)
SSL VPN Server Certificate
• Certificate presented to client initiating SSL VPN session• FortiGate device uses a self-signed certificate by default
•Use certificates issued by trusted Certificate Authority to avoid web browser security warnings
![Page 12: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/12.jpg)
Encryption Key Algorithm
• Level of encryption used for SSL VPN connections• High, Default, Low
• The default setting is RC4 (128 bits) and higher• If set to High, SSL VPN connections with clients that cannot meet this standard will fail
![Page 13: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/13.jpg)
SSL VPN Web-only Mode Configuration
• Enable SSL VPN on the FortiGate unit• Create an SSL VPN user group and set SSL VPN portal type to web-access• Add users to SSL VPN user group• Create an SSL VPN firewall policy• Edit authentication rule in firewall policy to add SSL VPN user groups and required protocols
![Page 14: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/14.jpg)
SSL VPN Tunnel Mode Configuration
• Enable SSL VPN and select IP Pool• Create an SSL VPN user group and set SSL VPN portal type:• tunnel-access or full-access
• Create a static route• Destination = the IP Pool
• Device = ssl.root
• Add users to SSL VPN user group• Create an SSL VPN firewall policy to authenticate the users• Add SSL VPN user groups and required protocols
• Create at least one additional firewall policy• Source = sslvpn tunnel interface
• Destination = the internal network
• Action is ACCEPT
![Page 15: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/15.jpg)
Web Portal Interface
•Web page displayed when client logs into SSL VPN• Includes widgets to access functionality on the portal (such as bookmarks and connection tools)• Software download option for tunnel mode•Default SSL VPN web portal page is accessible at:https://<FortiGate IP address>:10443
(port 443 can be used in actual deployments as this port is typically open on firewalls)
![Page 16: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/16.jpg)
Full-Access Web Portal Interface
![Page 17: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/17.jpg)
Tunnel Mode Split-Tunneling
•Only traffic destined for the tunnel IP range network will be routed over the SSL VPN• If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface• Associated firewall policies must exist
![Page 18: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/18.jpg)
Client Integrity Checking
• SSL VPN gateway checks client system•Detects client protection applications (for example, antivirus and personal firewall)•Determines state of applications (active/inactive, current version number and signature updates)• Examples include Cisco Network Admission Control (NAC), MS Network Access Protection (NAP), Trusted Computing Group’s (TCG) Trusted Network Connect
![Page 19: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/19.jpg)
Client Integrity Checking
![Page 20: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/20.jpg)
Client Integrity Checking
• Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors)• Requires administrators to determine
appropriate version/signature versions and policy• Easily outdated, limiting the
protection provided
![Page 21: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/21.jpg)
SSL VPN Group
• The SSL VPN group will be created with full-access and appropriate users selected
• The SSL VPN Active X control only needs to be downloaded once
![Page 22: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/22.jpg)
SSL VPN Tunnel Mode Connection
• A new network connection called fortissl is created• The connection obtains a virtual IP address• This virtual adapter becomes the preferred default
route if split tunneling is disabled
• The web portal page will display the status of the SSL VPN client ActiveX control• The portal web page must remain open for the tunnel to function
![Page 23: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/23.jpg)
SSL VPN Client Port Forward
• Port Forward Mode extends applications supported by Web Application Mode• Application Types:• PortForward: for generic port forward application
• Citrix: for Citrix server web interface access
• RDPNative: for Microsoft Windows native RDP client over port forward
• Configured though the CLI using:config vpn ssl web portal
edit “SSL Access”
set allow-access citrix rdpnative portforward
end
![Page 24: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/24.jpg)
SSL VPN Client Port Forward
![Page 25: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/25.jpg)
SSL VPN IPv6 Support
![Page 26: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/26.jpg)
SSL-VPN Policy De-Authentication
• Firewall policy authentication session is associated with SSL VPN tunnel session• Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user• Prevents reuse of authenticated SSL VPN firewall
policies (not yet expired) by a different user after the initial user terminates their SSL VPN tunnel session
![Page 27: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/27.jpg)
SSL VPN Access Modes
Web Mode
• No client software required (web browser only)
• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)
• Java applets for RDP, VNC, TELNET, SSH
Web Mode
• No client software required (web browser only)
• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)
• Java applets for RDP, VNC, TELNET, SSH
Tunnel Mode
• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)
• Requires admin/root privilege to install layer-3 tunnel adaptor
Tunnel Mode
• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)
• Requires admin/root privilege to install layer-3 tunnel adaptor
Port Forward Mode
• Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL
• Downloaded to client PC and installed without admin/root privileges
• Client App must point to Java applet
Port Forward Mode
• Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL
• Downloaded to client PC and installed without admin/root privileges
• Client App must point to Java applet
![Page 28: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/28.jpg)
Labs
• Lab - SSL VPN• Configuring SSL VPN for Web Access
• Using the SSL VPN for RDP Access
• Configuring the SSL VPN Tunnel Mode with Split Tunneling
Click here for step-by-step instructions on completing this lab
![Page 29: SSL VPN. Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649dd05503460f94ac611c/html5/thumbnails/29.jpg)
Student Resources
Click here to view the list of resources used in this module