Configuration of SSL-VPN on MWS HQ Fortigate100a, Version 4.0mr3patch10 Introduction SSL VPN access is given to users wh
146 91 117KB
Order Type [OPJH] >=> Status Profile [BS02] > Order Type Dependent Parameters [OPL8] > Checking Control for Order [OPJK]
0 0 222KB Read more
AirWatch On-Premise Configuration Guide A comprehensive guide for managing your on-premise AirWatch deployment AirWatch
177 89 605KB Read more
FortiGate WAN Optimization and Web Caching Version 4.0.0 Technical Note Note: This document is a work in progress. New a
182 24 2MB Read more
[CONFIGURATION MANAGEMENT PROCESS GUIDE] Sanmar Group Configuration Management Process Guide Version 1.0 September 2012
237 28 3MB Read more
Alcatel-Lucent OmniPCX Enterprise Rel 9.0 SIP Trunk Inter-connectivity with PAETEC Configuration Guide Author Alcatel-L
199 8 173KB Read more
Configuration of SSL-VPN on MWS HQ Fortigate100a, Version 4.0mr3patch10 Introduction SSL VPN access is given to users who need temporary access to MWS network, with a more refined control on who has access to what resources. Down-side to this set-up is a limited number of connection due to licenses availability on the Fortigate.
High-level procedures: Info taken from: http://whitehat.williamlee.org/2010/05/fortigate-ssl-vpn-how-to.html 1)
Setup user group(s) that allow SSL VPN access and include intended users
Setup user account(s)
Setup tunnel mode IP address range
Add the tunnel mode IP address range to static route
Load the private key and certificate to the box
Enable SSL VPN, Specify SSL VPN portal TCP port to use 8443
Create Firewall Policy to allow SSL VPN and/or tunnel mode access
Restart Firewall to allow the login from web-site with port 8443
Steps to configure on Fortigate The steps to configure are outlined below: 1)
Create security group
Create new user accounts
Go User > User group > add a new user group: VPN-Users
Go User > User > add a new user
Fill in details of new user
Add the user to group: VPN-Users
Create a new address group for VPN connected users a.
Go to Firewall Objects > Address > Address
Create a new range, name it as SSL_VPN_tunnel_ip_range i.
I created a totally separate subnet (impt), so if the local subnet is 192.168.0.*, then the new range should be something like 192.168.247.*
In my case, I created 192.168.247.[201-210] since I am allowing a max of 10 users.
Create the static route for tunnel a.
Go to Router > Static > Static Route
Add a new static route with IP/Mask: 192.168.246.20/255.255.255.0 and device ssl.root, with no gateway details
SSL Certificate a.
Go to System > Certificates
Go Local certificate to look-see-look-see. Nothing to be done here since I am not going to install an SSL certificate for this login – save money.
To enable SSL VPN access and service a.
Go to VPN > SSL > Config
Set the Ip Pools to the SSL_VPN_tunnel_ip_range
I set the encryption key algorithm to high
Change the login port to 8443 from 10443
DNS server 1 to the DC in my LAN (even though its different subnet) – 192.168.0.1
DNS server 2 to my ISP – 220.127.116.11
WINS server 1 to my DC in my LAN – 192.168.0.1
Go to VPN > SSL > Portal – this is to enable the tunnel mode settings for connected users
There should be 1 policy there you can click – SSL VPN. Right-click and choose edit
Enabled HTTP/HTTPS, RDP, PING, RDPnative, changed theme to Gray, set portal message: Welcome to Our SSL VPN Service
At the tunnel mode, click on the ‘pen’ to edit the settings: i.
change IP mode to user group,
set ip-pools to SSL_VPN_tunnel_IP_range, and
tick on split-tunneling
m. Remember to SAVE the settings or it’ll not get saved, it’s at the APPLY button at the top of the page while in the portal screen. 7)
For firewall policy, see below in the Firewall Policy Configuration settings and screen-shot