SSL VPN

7 April 2014

SSL VPN

2014 Fortinet Inc. All rights reserved.

The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-05-50005-E-20140120

Module Overview
VPN definition
SSL VPN vs. IPSec VPN
Web-only mode
Tunnel mode
Port Forward mode
Split-Tunneling
Client Integrity Checking
SSL VPN portal
SSL VPN configuration
Access modes comparison
SSL VPN monitor
2

SSL VPN

7 April 2014

Module Objectives
By the end of this module participants will be able to:
Configure the different SSL VPN operating modes
Setup SSL VPN portals
Configure firewall policies and authentication rules for SSL VPN
Monitor SSL VPN connections

Virtual Private Networks (VPN)

A virtual private network (VPN) allows users to remotely access
network resources as if they were physically connected to the local
network
Used when there is the need to transmit private data across a public
network
Is an encrypted point-to-point connection, so it cannot be intercepted
by unauthorized users
Uses different security methods to ensure that only authorized users
can access the private network

SSL VPN

7 April 2014

FortiGate VPN
SSL VPN
Typically used to secure
web transactions
HTTPS link created to
securely transmit
application data
Client signs on through
secure web page (SSL
VPN portal) on the
FortiGate device

IPSec VPN

VPN

Well suited for networkbased legacy applications

Secure tunnel created
between two host devices
IPSec VPN can be
configured between
FortiGate unit and most
third-party IPSec VPN
devices or clients

SSL VPN Web-only Mode

1. Connection of a remote user to the SSL VPN
portal (HTTPS Web Site)
2. User authentication
3. SSL VPN portal presented
4. Access resources through
the SSL VPN portal via bookmarks
or the connection tool widgets

User traffic has the

internal interface IP
address as source

SSL VPN

7 April 2014

SSL VPN Tunnel Mode

1. Connection of a remote user to the SSL VPN
portal (HTTPS Web Site)
2. User Authentication
3. SSL VPN portal presented
4. Tunnel created
5. Access resources (IP traffic
encapsulated over HTTPS)

User traffic source IP

address is assigned by
the FortiGate unit

Tunnel Mode Split Tunneling

Split Tunneling disabled:
All IP traffic will be routed over the SSL VPN tunnel (including Internet traffic)

Split Tunneling enabled:

Only traffic destined to the private network will be routed over the SSL VPN tunnel

Internet

Internal
network

Tunnel mode

Split Tunneling
Enabled

Split Tunneling
disabled

SSL VPN

7 April 2014

Ways of Connecting SSL VPN Tunnel Mode

Using a browser:
The SSL VPN web portal will display the status of the SSL VPN ActiveX control
The SSL VPN portal must remain open for the tunnel to function

Using the standalone FortiClient SSL VPN client:

The client must remain running for the tunnel to function

Either way, a new virtual network adapter called fortissl is created in

the client PC:
The FortiGate assigns the adepter a virtual IP address from a pool of reserved
addresses

SSL VPN Client Port Forward Mode

Port Forward uses a Java applet to extend the amount of
applications supported by the Web-only mode
The applet listens on local ports on the user's computer. It encrypts
and forwards to the FortiGate unit all the traffic received
The user must configure the applications on the PC to point to the
local proxy instead of the application server
Application types:
PortForward: for generic port forward applications
Citrix: for Citrix server web interface access
RDPNative: for Microsoft Windows native RDP client over port forward

10

SSL VPN

7 April 2014

Client Integrity Checking

SSL VPN gateway checks client system
Only possible with client running Microsoft Windows
Detects client security applications recognized by the Windows
Security Center (antivirus and firewall)
Alternatively, Custom Host Checks can be created using application
Globally Unique IDentifiers (GUID)
Determines the state of the applications (active/inactive, current
version number and signature updates)

11

Client Integrity Checking Configuration

Relies on external vendors to ensure client integrity
Checks if required software is installed on the connecting PC,
otherwise the SSL VPN connection attempt is rejected
CLI-only configuration:
config vpn ssl web portal
edit <portal_name>
set host-check {av|av-fw|custom|fw}
set host-check-interval <seconds>
end

12

SSL VPN

7 April 2014

Configuration Steps
1.
2.
3.
4.
5.

Configure the SSL VPN general settings

Set up user accounts and groups for the SSL VPN clients
Configure the web portals to define user access
Create the Firewall Policy with the Authentication Rules
Create Firewall Policies from/to the SSL VPN interface (only for
Tunnel mode)
6. Add routing to ensure that traffic to the users can reach the SSL VPN
interface (only for Tunnel mode)

13

Step 1: SSL VPN General Settings

Certificate presented to clients.

Use a certificate issued by a
Certificate Authority (CA) to
avoid web browser warnings
If set to High, connections with
clients that cannot meet this
standard will fail
Tunnel session timeout
Web portal port number

14

SSL VPN

7 April 2014

SSL VPN Policy De-Authentication

Firewall policy authentication session is associated with SSL VPN
tunnel session
Forces expiration of firewall policy authentication session when
associated SSL VPN tunnel session has ended
Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a
different user after the initial user terminates the SSL VPN tunnel session

15

Step 2: User Accounts and Groups

SSL VPN supports the following authentication methods:
Local
LDAP
Radius
TACAC+

Additionally, two-factor authentication is also supported

Username and Password (one factor)

+
Token Code (two factor)

16

SSL VPN

7 April 2014

Step 3: SSL VPN Portal

Web page displayed after the client has logged into the SSL VPN
Includes widgets to access different SSL VPN functionalities (such
as bookmarks and connection tools)
Software download option for Tunnel mode

17

SSL VPN Portal Configuration

Enable Tunnel mode

Enable Split Tunneling

Virtual IP addresses to be
assigned to Tunnel mode
users
Enable Port Forward mode

Control number of concurrent

sessions per user

18

SSL VPN

7 April 2014

SSL VPN Portal Example

19

Step 4: Firewall Policy for SSL VPN Authentication

All the three SSL VPN modes require a firewall policy for
authentication
Tunnel mode requires additional policies to allow traffic to/from the
SSL VPN interface

20

SSL VPN

7 April 2014

Firewall Policy for SSL VPN Authentication

21

Step 5: Firewall Policies for Tunnel Mode

22

SSL VPN

7 April 2014

Step 6: Routing for Tunnel Mode

Subnet that contains the SSL VPN IP
addresses for Tunnel mode

23

SSL VPN Monitor

A Subsession row below a user
means that is Tunnel mode

Web-only user

24

SSL VPN IP address for

the user fortinet

SSL VPN

7 April 2014

SSL VPN Access Modes

Web-only

Tunnel

Port Forward

No client software
required (web browser
only)

Uses FortiGate-specific
client downloaded to PC
(ActiveX or Java applet)

Java applet works as a

local proxy to intercept
specific TCP port traffic
and encrypt it using SSL

Reverse proxy rewriting

of HTTP, HTTPS, FTP,
SAMBA (CIFS)

Requires admin/root
privilege to install
network tunnel adaptor

Java applets for RDP,

VNC, TELNET, SSH

25

Labs
Lab 1: SSL VPN
Ex 1: Configuring SSL VPN for Web-only access
Ex 2: Configuring SSL VPN for Tunnel mode

26

Applet is installed without

admin/root privileges
Client Applications must
point to the Java applet

SSL VPN

7 April 2014

Classroom Lab Topology

27