Table of Contents
Advertisement
Configuring firewall policies
46
Configuring tunnel-mode firewall policies
Follow the procedures in this section to complete a tunnel-mode configuration.
These procedures assume that you have already completed the procedures found
in
"Configuring user accounts and SSL VPN user groups" on page
When a remote client initiates a connection to the FortiGate unit, the FortiGate
unit authenticates the client and determines which mode of operation is in effect
for the user. When tunnel mode is enabled, the user can access the server
applications and network services on the internal network if required and/or
download and install an ActiveX plugin from the web portal. The ActiveX control
provides SSL VPN client software.
Note: On the web browser, ensure that the security settings associated with the Internet
zone permit ActiveX controls to be downloaded and run.
After the user adds the ActiveX plugin to the web browser on the remote client, the
user can start the SSL VPN client software to initiate an SSL VPN tunnel with the
FortiGate unit. The FortiGate unit establishes the tunnel with the SSL client and
assigns the client a virtual IP address. Afterward, the SSL client uses the assigned
virtual IP address as its source address for the duration of the session.
To configure the FortiGate unit to support tunnel-mode access, you perform the
following configuration tasks on the FortiGate unit:
•
Specify the IP address(es) that can be assigned to the SSL VPN client when
they establish tunnels with the FortiGate unit.
•
Define a firewall policy to support tunnel-mode operations.
A firewall policy specifies the originating (source) IP address of a packet and the
destination address defines the IP address of the intended recipient or network. In
this case, the source address corresponds to the IP address of the remote user
that will connect to the FortiGate unit, and the destination address corresponds to
the IP address(es) of the host(s), server(s), or network behind the FortiGate unit.
Configuring the firewall policy involves:
•
specifying the source and destination IP addresses:
•
The source address corresponds to the IP address of the remote user.
•
The destination address corresponds to the IP address or addresses that
remote clients need to access. The destination address may correspond to
an entire private network, a range of private IP addresses, or the private IP
address of a server or host.
•
specifying the level of SSL encryption to use and the authentication method
•
binding the user group to the firewall policy
Note: If your destination address, SSL encryption, and user group are the same
as for your web-only mode connection, you do not need to create a firewall policy
for tunnel mode. The FortiGate unit uses the web-only mode policy settings
except for the source address range, which it obtains from the tunnel IP range
settings.
To specify the source IP address
1
Go to Firewall > Address and select Create New.
2
In the Address Name field, type a name that represents the IP address that is
permitted to set up SSL VPN connection.
Configuring a FortiGate SSL VPN
42.
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
Advertisement
Table of Contents
