Configuration of SSL-VPN on MWS HQ Fortigate100a, Version 4.

0mr3patch10
Introduction
SSL VPN access is given to users who need temporary access to MWS network, with a more refined control on who has access to what resources. Down-side to this set-up is a limited number of connection due to licenses availability on the Fortigate.

High-level procedures:
Info taken from: http://whitehat.williamlee.org/2010/05/fortigate-ssl-vpn-how-to.html 1) 2) 3) 4) 5) 6) 7) 8) Setup user group(s) that allow SSL VPN access and include intended users Setup user account(s) Setup tunnel mode IP address range Add the tunnel mode IP address range to static route Load the private key and certificate to the box Enable SSL VPN, Specify SSL VPN portal TCP port to use 8443 Create Firewall Policy to allow SSL VPN and/or tunnel mode access Restart Firewall to allow the login from web-site with port 8443

Steps to configure on Fortigate

The steps to configure are outlined below: 1) 2) Create security group a. a. b. c. 3) a. b. Go User > User group > add a new user group: VPN-Users Go User > User > add a new user Fill in details of new user Add the user to group: VPN-Users Go to Firewall Objects > Address > Address Create a new range, name it as SSL_VPN_tunnel_ip_range i. ii. 4) a. b. 5) I created a totally separate subnet (impt), so if the local subnet is 192.168.0.*, then the new range should be something like 192.168.247.* In my case, I created 192.168.247.[201-210] since I am allowing a max of 10 users. Create the static route for tunnel Go to Router > Static > Static Route Add a new static route with IP/Mask: 192.168.246.20/255.255.255.0 and device ssl.root, with no gateway details SSL Certificate a. b. 6) Go to System > Certificates Go Local certificate to look-see-look-see. Nothing to be done here since I am not going to install an SSL certificate for this login save money. To enable SSL VPN access and service a. Go to VPN > SSL > Config Create new user accounts

Create a new address group for VPN connected users

b. c. d. e. f. g. h. i. j. k. l.

Set the Ip Pools to the SSL_VPN_tunnel_ip_range I set the encryption key algorithm to high Change the login port to 8443 from 10443 DNS server 1 to the DC in my LAN (even though its different subnet) 192.168.0.1 DNS server 2 to my ISP 165.21.83.88 WINS server 1 to my DC in my LAN 192.168.0.1 Go to VPN > SSL > Portal this is to enable the tunnel mode settings for connected users There should be 1 policy there you can click SSL VPN. Right-click and choose edit Click Settings Enabled HTTP/HTTPS, RDP, PING, RDPnative, changed theme to Gray, set portal message: Welcome to Our SSL VPN Service At the tunnel mode, click on the pen to edit the settings: i. ii. iii. change IP mode to user group, set ip-pools to SSL_VPN_tunnel_IP_range, and tick on split-tunneling

m. Remember to SAVE the settings or itll not get saved, its at the APPLY button at the top of the page while in the portal screen. 7) 8) For firewall policy, see below in the Firewall Policy Configuration settings and screen-shot Verify all Admin Settings and Restart the Firewall a. b. c. d. e. Go to system > Admin > Settings Check the HTTP, HTTPS port. Ensure that all port configuration is okay. Verify the network interface for WAN1 or WAN2 are set correctly and theres no NAT in between to block the SSL VPN connection Enable PING access, HTTPs, HTTP, FMG-Access on the WAN connection that is used for the VPN Restart the firewall, go to System > Dashboard > Dashboard > Choose Restart

Firewall Rules and Configuration

As per step 7 above, we need to define the firewall configuration for access to the server(s) that connected users will have access.

Defining the servers to allow for access

address objects. 1) 2) Go to Firewall Objects > Address > Address Create new devices. a. b. c. d. 3)

We need to specify server addresses in the network address list. The first step to defining policies is to create the

Name: Server-(something), eg, Server-HR Address: 192,168.1.1/255.255.255.255 Interface: Internal Type: Subnet

Once created, we can then set-up internal rules.

Defining the policy on the firewall to allow or disallow access

After objects are created, we then can create the relevant firewall rules/ 1) First rule to create is to allow VPN connected users to access the internet

2)

Next is to allow SSL connection through from the WAN

I am using WAN2 for my main internet connection. 3) The last and final rule to make the connection work is to allow this:

Note the 29.1 as its a requirement to specify who (which user group) has access to the server.