Simple step-by-step guide for configuration of SSLVPN on Fortigate 100a using MR4.00

Simple step-by-step guide for configuration of SSLVPN on Fortigate 100a using MR4.00

Citation preview

Configuration of SSL-VPN on MWS HQ Fortigate100a, Version 4.0mr3patch10 Introduction SSL VPN access is given to users who need temporary access to MWS network, with a more refined control on who has access to what resources. Down-side to this set-up is a limited number of connection due to licenses availability on the Fortigate.

High-level procedures: Info taken from: http://whitehat.williamlee.org/2010/05/fortigate-ssl-vpn-how-to.html 1)

Setup user group(s) that allow SSL VPN access and include intended users

2)

Setup user account(s)

3)

Setup tunnel mode IP address range

4)

Add the tunnel mode IP address range to static route

5)

Load the private key and certificate to the box

6)

Enable SSL VPN, Specify SSL VPN portal TCP port to use 8443

7)

Create Firewall Policy to allow SSL VPN and/or tunnel mode access

8)

Restart Firewall to allow the login from web-site with port 8443

Steps to configure on Fortigate The steps to configure are outlined below: 1)

Create security group

2)

Create new user accounts

a.

3)

Go User > User group > add a new user group: VPN-Users

a.

Go User > User > add a new user

b.

Fill in details of new user

c.

Add the user to group: VPN-Users

Create a new address group for VPN connected users a.

Go to Firewall Objects > Address > Address

b.

Create a new range, name it as SSL_VPN_tunnel_ip_range i.

I created a totally separate subnet (impt), so if the local subnet is 192.168.0.*, then the new range should be something like 192.168.247.*

ii. 4)

In my case, I created 192.168.247.[201-210] since I am allowing a max of 10 users.

Create the static route for tunnel a.

Go to Router > Static > Static Route

b.

Add a new static route with IP/Mask: 192.168.246.20/255.255.255.0 and device ssl.root, with no gateway details

5)

SSL Certificate a.

Go to System > Certificates

b.

Go Local certificate to look-see-look-see. Nothing to be done here since I am not going to install an SSL certificate for this login – save money.

6)

To enable SSL VPN access and service a.

Go to VPN > SSL > Config

b.

Set the Ip Pools to the SSL_VPN_tunnel_ip_range

c.

I set the encryption key algorithm to high

d.

Change the login port to 8443 from 10443

e.

DNS server 1 to the DC in my LAN (even though its different subnet) – 192.168.0.1

f.

DNS server 2 to my ISP – 165.21.83.88

g.

WINS server 1 to my DC in my LAN – 192.168.0.1

h.

Go to VPN > SSL > Portal – this is to enable the tunnel mode settings for connected users

i.

There should be 1 policy there you can click – SSL VPN. Right-click and choose edit

j.

Click Settings

k.

Enabled HTTP/HTTPS, RDP, PING, RDPnative, changed theme to Gray, set portal message: Welcome to Our SSL VPN Service

l.

At the tunnel mode, click on the ‘pen’ to edit the settings: i.

change IP mode to user group,

ii.

set ip-pools to SSL_VPN_tunnel_IP_range, and

iii.

tick on split-tunneling

m. Remember to SAVE the settings or it’ll not get saved, it’s at the APPLY button at the top of the page while in the portal screen. 7)

For firewall policy, see below in the Firewall Policy Configuration settings and screen-shot

8)

Verif