Workspot Configuration

Guide for the Fortinet

FortiGate Firewall

Workspot, Inc.
4/8/2016
 Fortinet FortiGate and Workspot Overview

The Fortinet FortiGate provides comprehensive threat protection with firewall, VPN (IPsec
and SSL), intrusion prevention, antivirus/antispyware, antispam, and web filtering
technologies. The platform also provides application control, data loss prevention, dynamic
routing for IPv4 and IPv6, endpoint NAC, and SSL-encrypted traffic inspection.

Once the FortiGate is installed on-premise or in the cloud, Workspot can be quickly
implemented as no additional hardware or software is required. The Workspot Client
securely connects to internal applications and services using the FortiGate SSL-VPN
feature.

For more information on the Fortinet FortiGate, go to:

http://www.fortinet.com/products/fortigate/index.html

The Workspot Client runs on Windows PCs, Macs, and mobile devices; Workspot Control,
a corresponding cloud-based administration console, is used to manage configuration and
policies for the environment.

For more information on Workspot, go to: http://www.workspot.com

Products and Versions Tested

The information and screens in this guide are based on the following:
FortiGate VM64, firmware Version v5.4.0,build1011 (GA)
Workspot Control (Release 4/7/16)

Prerequisites and Configuration Notes

The following are general prerequisites for this guide:

FortiGate firewall version 5.0 or later.
FortiGate administrator access.
Configured for both inside network and Internet connectivity.
An authentication server such as Microsoft Active Directory (AD) using LDAP or
RADIUS.
DNS FDQN names or IP addresses for internal web apps, CIFS file shares, Remote
Desktop Services (RDS) servers and RemoteApps.

Configuring the FortiGate involves the following configuration steps:

1. SSL-VPN User Group

2. SSL-VPN configuration

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 1 of 12
 3. SSL-VPN policy
4. SSL-VPN portal (optional)
5. Configuring the FortiGate in Workspot Control

If an existing FortiGate SSL-VPN configuration is already configured to support web-access and AD

authentication, then go to Testing the Configuration. If the testing fails, verify the settings shown
below and clone the current setups and update specific settings where needed.

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 2 of 12
 FortiGate Configuration for Workspot

These steps outline the basic configuration of a FortiGate firewall to support Workspot. Sign
into the administrator console.

1. Configure a User Group for the Workspot users. Go to User & Device > User Groups
and click +Create New

a. Enter a name for the User Group: Workspot SSL VPN Users.
b. Under Remote groups, select + Create New.

1a. 1a
>
1b

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 3 of 12
 c. Select the AD authentication server from the list of Remote Servers. Then click OK
and then OK again to save.

1c

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 4 of 12
 2. Configure the SSL-VPN. If the SSL-VPN is already configured, verify the following
settings. Go to VPN > SSL-VPN Settings

a. Set the Listen on Interface(s) to the interface connected to the external network
b. Set the Listen on Port to the HTTPS port. If port 443 used for the SSL VPN is on the
same interface as the administrator interface, then the administrator HTTPS port
under System > Settings must be set another port, e.g. 10443.
c. Select the SSL Server Certificate obtained from a Certificate Authority and imported
into this FortiGate. Otherwise, the Workspot users will be prompted to accept the
self-signed certificate when connecting to the SSL VPN.
d. Under Authentication/Portal Mapping, select +Create New.

2g

2a

2b

2c

2d

2f

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 5 of 12
 e. Select Workspot SSL VPN Users and web-access, then click OK.

2e

f. Click Apply to save the configuration.

g. From the top of the page, click the No SSL-VPN policies exist. Click here to create a
new SSL-VPN policy using these settings and go to step 3a.

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 6 of 12
 3. Configure the SSL-VPN Policy. Go to Policy & Objects > IPv4 Policy and click +Create
New.

a. Enter the policy name: Workspot SSL VPN Policy

b. Select the Outgoing Interface which is connected to the external network.
c. Select the Source Address: All and the User: Workspot SSL VPN Users
d. Select the Destination Address: All
e. Select the Service: ALL then click OK to save.

3a
Note: The Incoming Interface must
3b be set to SSL-VPN tunnel interface.

3c

3d

3e

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 7 of 12
 4. Configure the SSL-VPN Portal. Go to VPN > SSL-VPN Portals and select web-access
and click Edit.

a. Verify that Tunnel Mode is OFF and Enable Web Mode is ON.
b. Verify that the Show Connection Launcher is ON. This setting is not required for
Workspot but will allow a standard browser to test the FortiGate configuration; other
settings are also optional.
c. If modified, click OK to save the configuration.

4a

4b

4c

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 8 of 12
 Testing the Configuration

To test the configuration, use any standard browser and go to the URL associated with the
FortiGate, e.g. https://fortigate.mycompany.com/. Enter your AD Username and Password
then click Login.

On the portal screen click Quick Connection.

Then enter an internal website URL and click launch.

intranet.mycompany.com

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 9 of 12
 The internal web page should be opened in a new tab.

https://fortinet.mycompany.com/proxy/http/intranet.mycompany.com

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 10 of 12
 Configuring the FortiGate VPN in Workspot Control

To configure the VPN for Workspot users, sign into Workspot Control, then go to Setup >
VPN > Add New VPN, then enter a name, the external URL for the FortiGate VPN, and
Fortinet as the SSL VPN Type. Select the group(s) which will use the FortiGate and then
click Save.

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 11 of 12
 Troubleshooting

<To be updated by Support team>

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 1.1 pg. 12 of 12