Enable SSL VPN on FortiGate and Connect SSL VPN Using FortiClient (Free Lab with Test Drive)

cc 好物分享

A secure sockets layer VPN (SSL VPN) enables individual users to access an organization's network, client-server applications, and internal network utilities and directories without the need for specialized software. SSL VPNs provide safe, secure communication via an encrypted connection for all types of devices, regardless of whether access to the network is via the public internet or another secure network. 

SSL VPN Types

There are two major types of SSL VPNs:

SSL Portal VPN

In this type of SSL VPN, a user visits a website and enters credentials to initiate a secure connection. The SSL portal VPN allows for a single SSL connection to a website. Additionally, the user can access a variety of specific applications or private network services as defined by the organization.

Users can typically enter the gateway, or the hardware on a network that allows data to flow from one network to another, using any modern web browser, by entering the username and password provided by the VPN gateway service.

SSL Tunnel VPN

An SSL tunnel VPN allows a web browser to securely access multiple network services that are not just web-based via a tunnel that is under SSL. These services could be proprietary networks or software built for corporate use only that cannot be accessed directly via the internet. This VPN tunneling technology may require a browser with additional applications, such as JavaScript or Flash, installed to display active content.

In this post, we are using FortiGate VM in Azure to configure a SSL Tunnel VPN and using FortiClient to connect to it in our Test Drive environment.  

Diagram

For FortiGate Test Drive:

Go to https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet-fortigate?ocid=FortiGate_202105_landingpage_en-us  or https://www.fortigate-azure.com/. Choose a Test Drive, sign in and agree to the terms of use.

Related Posts:

Enable SSL-VPN Feature

Log into FortiGate
Go to System -> Feature Visibility -> Core Features
Enable SSL-VPN

Now, you should be able to SSL-VPN Section under VPN menu.

SSL-VPN Settings

 

1 VPN -> SSL-VPN Settings

Most settings are default. But you will need to add interface on the listen list. Ideally, change Listen on Port to a different port from 443. In this example, I am using 4443. 

note: Default tunnel user range is only 10 ip addresses. If you have more than 10, you might want to increase it by customizing a larger range there.

2 Autentication/Portal mapping

Change All Other Users/Groups to have tunnel-access to Portal.

You can have an admin group / users to have full-access to Portal. 

3 SSL VPN Client Address Range

By default, it is automatically assigned by FortiGate.

In the above screenshot, it uses automatically assign range: 10.212.134.200 -10.212.134.210

The range can be customized for larger numbers based on your usage. 

Use Fortinet_Factory Server Certificate

 To make lab as simple as we can, we are gonna use Fortinet_Factory cert.

It is possible to directly create your own certificate using Let's Encrypt. 

You might get this cert warning message when you access the portal by using default cert since it wont be able verified:

Policies and Users

 

1 SSL VPN > LAN

This firewall rule is to allow SSL VPN network to access LAN (Internal) networks.

You will need to choose incoming interface, outgoing interface, source (including users), destination, and services. Others, you can keep it as default. 

You can use NAT with outgoing interface address, which is your FortiGate LAN interface IP, or you can completely disable NAT. 

Logging is also can be enabled for all sessions. 

Here is how the SSL VPN Firewall Policy rule looks like:

2 Remote Users and Group

Create a Remote Users group. Add a couple of remote users into this group. 

3 Check Forwarded Log since we enabled all sessions logging


FortiClient Configuration and Connect to Remote

 

1 Send SSL-VPN Configuration

2 Download FortiClient
https://www.fortinet.com/support/product-downloads
3 Install FortiClient
Double click the downloaded installation file "FortiClientVPNOnlineInstaller.exe" and follow installation wizard to complete installation.
4 Configure FortiClient to connect to remote FortiGate SSLVPN Gateway 
Make sure put right public ip address and SSLVPN Port. 

Remote Access VPN (IPSec)

 

This is remote IPSec VPN configuraiton.

Enable SSL VPN Web Portal

 

SSL VPN web mode gets the error as below when configured with SAML authentication.

 

Picture1.png

 

  1. Make sure web-mode is enabled in the SSL VPN portal:

 

config vpn ssl web portal

    edit "full-access"

        set web-mode enable

 

Warning: Please note that the legacy SSL VPN web mode feature is disabled by the global sslvpn-web-mode setting.

 

Picture2.png

 

  1. As the warning displayed, web mode is disabled globally so can not enable it in the full-access portal directly.

     

    Enable the web-mode globally first:

    config sys global

        set sslvpn-web-mode enable

    end

     

Now the web mode of SSL VPN should work as expected after enabling web-mode for specific portals. To enable the web mode for specific portals run the command as shown in step 1. 

 

If the issue persists, contact the TAC team.

Note:https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-web-mode-showing-403-Forbidden-error/ta-p/297377
FortiGate # show vpn ssl web portal config vpn ssl web portal edit "full-access" set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" next  edit "web-access" set web-mode enable next edit "tunnel-access" set tunnel-mode enable set ipv6-tunnel-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" next end FortiGate #

Quick test VPN tunnel by pinging to remote Ubuntu vm 10.0.3.4:
C:/Users/WDAGUtilityAccount>ping 10.0.3.4 Pinging 10.0.3.4 with 32 bytes of data: Reply from 10.0.3.4: bytes=32 time=39ms TTL=63 Reply from 10.0.3.4: bytes=32 time=47ms TTL=63 Reply from 10.0.3.4: bytes=32 time=38ms TTL=63 Reply from 10.0.3.4: bytes=32 time=38ms TTL=63 Ping statistics for 10.0.3.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 38ms, Maximum = 47ms, Average = 40ms C:/Users/WDAGUtilityAccount>tracert 10.0.3.4 Tracing route to 10.0.3.4 over a maximum of 30 hops 1 33 ms 36 ms 37 ms 10.212.134.200 2 34 ms 35 ms 34 ms 10.0.3.4 Trace complete.

SSL VPN FortiClient Connect to Azure VPN Gateway's Remote site

There is a special use case, which FortiGate firewall is providing SSL VPN connection, but Azure VPN Gateway provides Site to Site connection to remote site. How can we get our FortiClient to connect to remote site through Azure VPN tunnel?

1. SSL VPN Portal

Make sure add your remote site segment into Routing Address Override settings in your Tunnel-Access profile or other profiles

2. Add one route into your FortiGate routing tables. 
The gateway will be the Azure LAN network's default gateway .1 ip address.

3. Firewall Rule in the FortiGate policy enabled NAT on LAN interface.

References

https://blog.51sec.org

版权声明:
作者:cc
链接:https://www.techfm.club/p/123644.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>