FortiGate SSL VPN Configuration (FortiOS 6.4.0 Basic)

in today’s video we’re going to talk about how to set up remote access to your system applying SSL VPN it’s included in the FortiGate it’s very straightforward and it’ll obligate your remote work infinitely better for you and your organization stay sung[ Music] – good evening ladies and gentlemen so I had a few people send out requests questioning precisely about remote access to their network a lot of the questions had to do with whether or not to use IPSec passages for for dial-up customers or SSL VPN and mostly the posture on that is I personally wish SSL VPN because it tends to get through networks easier I’ve run into some situations for inns and whatnot were blocking the necessary ports and etiquettes for IPSec to go out so even though it’s faster usually SSL VPN tended to be the most successful and basically what we’re going to do in this video is we’re going to cover everything necessary to configure remote access to your work network via your FortiGate free of charge other merchants blame licensing rewards and things like that for this so this is one of the really good the advantages of the FortiGate a couple of things you need to take into consideration this video is going to be a very simple deployment this is our crawl before we move before we lead scenario so what we’re looking at here is regional Ithaca ssin meaning that you have to create user accounts on the device itself we’re also configuring this manoeuvre so that you’re accessing resources via the IP not by hosting this is going to be the bare metal most naive goal for you to set up an enter position SSL VPN remote access connection to your FortiGate in future videos we’ll talk about how to configure DNS suffixes specific DNS servers for those users specific subnets and access for those working customers etc but this is basically just so you can get it install it on your machine and play with it and get familiar so we’re going to need to create SSL VPN user groups SSL VPN useds and be designated to safe radicals we’re too going to have to configure the portal which we’ll go over in this video as well as mapping that group to that portal and then of course we need policy configured to allow this traffic digiverse another thing that we’re doing on this video is something called split tunnel that planneds exclusively traffic that’s interesting to the network we’ll go over these associations so if your office network is 10 100 100 0/24 and your remote on a 7 that basically that what what that symbolizes is we’re going to configure it so that a 10.1 hundred 100 itinerary does installed when you are connect wanting simply traffic destined to that subnet will go over the passage for those of you that may not know there are two different types of tunneling there’s separate routing divide road tunneling which mostly conveys simply interesting congestion becomes out and then there’s full passage which violences all traffic over the SSL VPN connection full passage constructs feel in organizations where you have higher security standards and you have to make sure that those consumers are using your situate entanglement filter or proxy or things like that so with that being said we’re going to jump into our lab 61 for to Wi-Fi 4 to Wi-Fi 61 II and we’re going to configure those steps as mentioned so that it’ll listen for us to sell VPN accordingly so let’s go ahead and we’ll jump in and direct that so what we’re looking at here is I’m logged in to my for to Wi-Fi 61 II this invention is running code 6.4 but this doesn’t mutate much between the versions the regional subnet on this one from the inside are those two test subnets from the other other epoch so we have one on 2.16 8.1 and speck – that’s Wi-Fi and our data is various kinds of inconsequential for this video because it could be anything that’s a variable that you can update so if your residence structure or your office network is 10 0 10 or 10 to 5000 you know etc you can you can set that up the same way you really alter the actual subnet in question so what we’re looking at now as first things firstly we need to create the group and basically under consumer and then ocation user groups we’re going to create an SSL VPN radical now remember this is a basic deployment we’re not trying to get fancy now so whilst our group is going to be simply referred we’re going to call it SSL VPN so we’ll create a firewall group entitled SSL VPN and then we’ll click OK you’ll notice that there’s various types here firewall is the one that you want for this scenario you can actually have your FortiGate used for it in that single sign-on using the single sign-on agent you can have it use radius and you can also have it use remote radicals via LDAP authentication firewall groups are able to be used for a multitude of things one of which is authentication for SSL VPN so like I said for this one we’re gonna use firewall and we’re just going to name an SSL VPN to keep it simple so we click ok now so now we have our user group this is the group we’re going to tie to our SSL VPN but just for chuckles we’re going to make this Mike account and we’re going to assign it to that user group actually even better we’re gonna create a new used so you can get strolled through that process just like with the user group there’s a multitude of options that you can use when creating your user this scenario is going to use a neighbourhood customer we’ll do more videos in the future that discuss the other options and where they may or may not be viable for you so we click local consumer go to next I’m gonna say SSL VPN customer from my username this is just a dummy account that we’re working SSL VPN password for the password is easy click Next for contact information I’m going to enter exams that come tocome to bring out my Microsoft fun you are able to configure two-factor on this as well as SMS and things like that for now we’re going to leave it space because like I said this is our basic record just getting started right and then we’ll click Next and you see that there’s an extra info division the extra info division is where you would say whether or not the account is active enabled or incapacitated and then the user group that you wish to place it in upon initiation we’re going to check that checkbox for consumer group and then we’re going to select this little empty box now and it’ll inhabit this right pane this right pane the only group that exists on this particular FortiGate is sslvpn so we will select that and as you can see it gets inhabited over here on the left and then we will click close and then click Submit so our details generated our customer radical has created our history is a member of that user group so now we have to configure our actual entrance so if we come over here to VPN on the left side we can click SSL VPN establisheds which is overall settings for the machine you can make it listen to any interface for sslvpn you are eligible to make it listen to specific boundaries for sslvpn so for instance to finally wanted this to listen to the outside it would listen since my device is gripped by zones I only have inside and outside as options but basically that represents it’s going to listen to any and any boundary that is in the outside zone it’ll actually listen to that interface for sslvpn so as you may have noticed I don’t use the standard four four three port for administration I use ten four four three on this particular device I do that because SSL VPN implementations 443 and usually when you’re deploying this in an environment where you have n users that may not be as technically savvy or anything like that usually keeping it as straight as possible is the best route to go so we have our interface that we’re listening on is the outside so both win one and win two if they were both had IPs we’re listening on port 443 which is the default for SSL VPN and then of course we are able to limit access to specific hosts or we can allow any emcee to connect for the purposes of the this video we’re going to use allow access for countless legions but you could whitelisted we’re only sure-fire external IPS could actually connect to this connection our idle logout is three hundred seconds which symbolizes three five minutes or so without any access or traffic going across and it’s going to disconnect the user server certificate this is the built-in for Dannette cert if you have a domain that you were going to point your consumers to maybe VPN dot you know domain comm you could get a wild-card cert or a cert specific to that sub domain set it on your FortiGate and elect that now and I’ll keep the certificate error from picturing up for the sake of this video that we don’t have that it’s a little bit more extort in it’s a gadget thing it’s absolutely not necessary but if you want to have a refined ogle and you want people to trust your VPN specially if it’s for a design or an organization like that it’s best to have a certificate positioned there we don’t require a client certificate because we’re not expend our credentials for authentication our tunnel state locations you can do two things you can have it automatically assign IP address which means it’s going to pull from whatever the default range is or you can select a specific range so here I have it set to use SSL VPN tunnel address 1 this is a default address object range that comes on the FortiGate and for the sake of this video it’s 10.2 12.1 3 4.2 hundred through fleck 210 and just for reference it’s been that mode for years you can expand this stray so if you need more than 10 useds to connect at once you can I usually make it the whole slash 24 but as you can see we have this configured accordingly so basically when you are connect the SSL VPN you will pull an IP address within this range next we’ll have DNS server same as consumer organization DNS so we’re going to leave that as a default for now now if you were in a situation where you had internal DNS you could characterize it here and actually have your internal DNS utilized it helps make and resolve resolution of entries via hostname easier but for the sake of this video we’re utilizing IPS we’re not abusing fqd goals our thin ocation portal planning this is where we need to map the user to a portal that we’re going to create we’re going to come back to this later so we just go ahead and click apply our provides are saved so now we need to create our portal the FortiGate out-of-the-box comes with two different access states web access and full access well then not access modes their entrances that have been pre-configured to facilitate certain types of access so for full access you can actually go to you know your IP: 443 and it’ll establish you a network entrance where you can log-in to SSL VPN that acces it’s very good for useds that don’t know how to use SSL VPN clients and maybe you simply want them to have access to certain resources so you can create a portal that has bookmarks RDP bookmarks and turn that website wording but once things of that nature I’ll go ahead and edit now list you can create predefined bookmarks and as you can see I have a bookmark to fortinet guru com you can create more and they can be FTP RDP SFTP etc so if you demand maybe it’s a mainframe person and they only need to ssh access to a very specific device you don’t want them connect via full passageway so you just let them use the web portal you could set up the bookmark for them ahead of time this video we’re going to act like we’re causing them use SSL VPN to connect so they can you know dive in RDP RDP to their desktop punched internal entanglement riches use printers things of that mood so so we’re going to go the default full access and we’re going to clink Revise and we’re just going to look through as you can see the tunnel procedure by default is set to full passageway it’s not separate routing at all we’re gonna fix that for this this is just the default portal entanglement mode is enabled which lets us do those things that I mentioned previously and then tunnel mode is enabled which makes forward a buyer actually build a connection to the FortiGate so we’re going to create a brand-new portal and we’re just going to call it SSL VPN it’s usually really good to specify these things based on function so for instance the defaults are full access and entanglement access so we’ll merely call this one SSL VPN full for the sake of the video we’re going to enable passage mode linkages and we’re going to split tunneling because we only demand interesting freight which is traffic that’s trying to go to 192 168 scatter one or one nine two one six eight scatter to those two gash 24 is to access this system so for routing address which is where we’ll actually enter the subnets that we wish to push down to the forticlient we’ll go ahead and aim those up here and these are just address objectives so when I cause these really quick for the sake of time then we got dot two so we have our to address objects we’ll adopt both of them and click close on this pane now what you see here is split tunneling is enabled so their Internet’s not going to go over this tube merely stuff that’s destined to these two subnets delight take note by the way while we’re talking about this if there is subnet overlap between your residence structure or your remote network and the network that you’re trying to remote access shenanigans almost always exists the best road and the most straightforward way to actually alleviate this in simple setups is just to make sure that you use a non-standard network for your work or your residence or whatever almost everybody usages 192.168.1 or 192.168.0 so I like to use 10 dot what Evers and go higher up in the compas so our generator IP ponds are the IP that we’re going to assign I know we configured it on the SSL VPN locates page but that’s a world-wide mastery the portal can actually be more specific so for instance “youve had” SSL VPN DNS exploration or suffix configured on the world parameter you can actually exclusively given particular DNS as sure-fire suffixes many servers things of that sort at the portal level so perhaps user as a are part of SSL VPN goes DNS service 1 maybe SSL VPN experiment its DNS servers 2 there’s a lot you can do there you can enable your client to save their password it’s easier for most best insurance tradition I frequently keep it off residence check is how you’re actually able to make sure that they have specific parameters set on their manoeuvre do they have antivirus is a real-time do they have a firewall but are both enabled etc and it’ll actually keep them from connecting if they don’t meet your security constants you can also limit it to where merely particular versions of Windows are allowed for instance Windows 7 shall cease to be subscribed it’s usually good to really block that 6.4 and 6.2 shaped it much simpler to configure this in the GUI generally you set these parameters in the CLI on older forms but we’re not doing house check or OS version checking because this is the basic setup I just wanted to cover that with you web state will be enabled we will leave it as is so we will click OK and that’s our portal so now we’ll go back to SSL VPN installs which in theory we probably could have just did the entrance firstly but it’s good to discuss both of them anyways because of the world-wide name versus the portal specific and then down here in the authentication entrance mapping segment we’ll click initiate new we’re going to select our SSL VPN user group and we’re going to be designated to the SSL VPN portal which is the one that we just appointed you could just throw them in the full access entrance that’s there by default and then stimulate revises to that portal to meet your needs but to follow suit on this video like this and as you can see it populates it now which necessitates if a used is part and parcel of the sslvpn group and they try to connect with forticlient they will get assigned to this portal and whatever assents are all out there look like a fly so we’ve created our ssl VPN user group we’ve created the user we’ve added the user to said radical we’ve configured our portal and we’ve configured the SSL VPN settleds to listen on the appropriate ports and to ascribe a specific portal to a certain user group now the one thing that’s left is our policy to allow the actual useds to connect simply go to policy and objects firewall programme and go to create new we’ll summon this SSL VPN in now remember this is only split tunnel traffic so the only subnets they’re going to be able to access are 192.168.1 and are as the firewalls concerned started on that interface that SSL VPN interface in that IP array good enough freedom but you also have to define the user group this is where you can actually come fairly granular on locateds maybe you miss SSL VPN users to only be able to access certain resources you could adjust that here but this is a simple one so we’re just make an SSL VPN so if they’re coming from the sslvpn boundary to the outs to the inside interface and there are a member of the sslvpn address gap and the sslvpn used we’re gonna allow them the attack or not attack to access these two systems if you tried to click all here it would complain because it’s not a full tunnel linkage when you’re using separate routing you have to be specific with your subnet if this was a full passageway without separate routing you could select all because you would also have to connect or create an SSL VPN to internet tie plan because otherwise they wouldn’t deal with access to the Internet our service we’re gonna give this be all we’re not gonna cyberspace it’s a structure that discontinues on the firewall so it’s not like we have to hide it or dealing with this problem or intrigue in there anything like that and then we will apply our relevant programme give now we’re not make DNS filtering because DNS traffic will not be reaching this we’re not going to do network filtering either simply antivirus to make sure if it is a you know a machine that has a defect on it or something and app command so that we can make sure only what we want comes across and we’ll clink OK and and that’s basically it we’ve run through everything that we need to do in order for this to connect let’s see here I’m gonna add a brand-new alliance what I call it SSL begin test this is how you configure the forticlient by the way so you propel for the client you got to add a brand-new tie-in let’s start you can name the connection whatever you wish whatever’s relevant for you my remote gateway is Tim not 100 -1 20 it’s listening on the default port so I don’t have to change this do not warn on spurious server authorization because I do not have an actual non revoked non invention specific credential positioned and I merely don’t want to see the error message there’s no consumer authorization because we’re not doing that for one of the purposes of our authentication and click Save and then we use SSL VPN customer and I think it was SSL VPN password was the password Connect and in theory this will connect right up and it does so it’s in there and now if I pull up command prompt I’m able to ping I don’t know if I have being enabled on this one yeah so let’s taken to ensure that yeah I don’t have ping enabled on that one but as you can see I’m able to smack the appropriate resources if there were manoeuvres behind it it would work like a champ so there you have it remote access to your fortigate from anywhere there’s no licensing restrictions or anything like that you’re mostly limited by the capability of the box for Danette has maximum SSL VPN user counts but they’re recommended they’re not hard change counts meaning you could if you’re not doing much with the box other one is you can get a lot out of it so you are familiar with only remember you got to create your customers and your used group consumers have to be inside user group configure your portals configure your provides and delineate list portals and then configure your programme and test that’s how you set up remote be made available to your FortiGate from afar you don’t have to pay for any shitty licensing like you do with Cisco and other merchants opening that did a good job in that regard so hopefully that helps you out if you have questions or observes please as always affixed them in the comments below I’d love to see them that’s what we use to get the channel Rocking so if you like videos like this and you would like to see more like it please do me a kindnes and subscribe and touched the apprise Bell so you get notified when new videos come out that helps build the path and of course your collaboration and correspondence with me too help build this into what it is we’ve traversed 6,000 customers and we’re steadily growing we’re very happy with that but I’m only as good as what you guys need right my expend examples might be different so yeah berth below like agree thumbs up and until next time guys stand safe[ Music]

You May Also Like