00:00
>> In this video, you will learn how to configure
00:00
SSL VPN for remote worker
00:00
to connect to a FortiGate protected network,
00:00
and enforce your security policies.
00:00
You'll create a remote worker named Jack.
00:00
When Jack works at home or on his travels,
00:00
he can go to the web portal using any device
00:00
with Internet access and FortiClient.
00:00
The SSL VPN tunnel provides
00:00
an encrypted communication path for
00:00
Jack to connect to internal network connections
00:00
and protected Internet access.
00:00
First, you are going to set up
00:00
the VPN portal for both tunnel mode and web mode.
00:00
edit the full-access portal.
00:00
Do not enable split tunneling.
00:00
This will keep all your Internet traffic going through
00:00
the FortiGate unit and be subject to security profiles.
00:00
Also enable status information,
00:00
connection tool, and FortiClient download.
00:00
Prompt mobile users to download the FortiClient app.
00:00
Enable user bookmarks and
00:00
Create New in the predefined bookmark area.
00:00
Bookmarks are used as links
00:00
to internal network resources.
00:00
To connect to your Windows server,
00:00
add a bookmark for a remote desktop connection,
00:00
set the category to remote desktop.
00:00
For the name, enter Windows Server.
00:00
Set the type to RDP.
00:00
Enter your host's network address.
00:00
For the username, enter Jack.
00:00
Enter a safe password.
00:00
The same username and password you just entered will
00:00
be used in the next step to create the user Jack.
00:00
Next, go to User and Device,
00:00
User, User Definition to create a remote user.
00:00
For the username, enter Jack,
00:00
enter the same same safe password.
00:00
Add the email address,
00:00
phone number, and service type.
00:00
Then go to User and Device,
00:00
to create a group for your remote user.
00:00
Create a user group for SSL VPN connections.
00:00
Set the type to firewall,
00:00
add Jack as a member.
00:00
Before you begin, ensure that
00:00
your SSL VPN tunnel address range
00:00
is different from that of your internal network.
00:00
Go to Policy and Objects, Objects,
00:00
Addresses to add an address for the local network.
00:00
Create a local LAN address with
00:00
the local subnet and ensure visibility is selected.
00:00
Settings to define how users can connect and
00:00
interact with SSL VPN portals on your FortiGate.
00:00
Set Listen on Interfaces to your external interface.
00:00
Listen on Port 443 and allow access from any hosts.
00:00
Select Specify Custom IP ranges and set the IP range to
00:00
the SSL VPN tunnel under
00:00
Authentication Portal Mapping at
00:00
>> the SSL VPN user group.
00:00
>> Go to Policy and Objects,
00:00
and create two security policies to allow
00:00
internal network access and Internet access.
00:00
Create the first policy.
00:00
Set the incoming interface to the SSL route,
00:00
the source address to the SSL_VPN_Tunnel_Address 1,
00:00
the source user to the sslvpn_group,
00:00
and set the outgoing interface
00:00
to your internal interface so that
00:00
the VPN traffic can flow between
00:00
the remote user and the FortiGate.
00:00
Set destination address to your local LAN address.
00:00
Enable NAT and configure
00:00
any remaining firewall and security options as desired.
00:00
Next, create a second security policy,
00:00
allowing SSL VPN access to the Internet.
00:00
Set the incoming interface to
00:00
the VPN tunnel interface SSL route.
00:00
The source address to SSLVPN_Tunnel_Address 1,
00:00
the source user to SSL VPN_group,
00:00
the outgoing interface to your external interface,
00:00
which is usually WAN 1.
00:00
Set the destination address to
00:00
all and configure the rest as normal.
00:00
Finally, set your FortiGate unit to
00:00
verify that users have current antivirus software.
00:00
Go to System, Status,
00:00
dashboard, and open the CLI console.
00:00
Enter config vpn ssl web portal, edit full-access.
00:00
Set host-check av end.
00:00
These commands enable the host to check for
00:00
compliant antivirus software on
00:00
the remote user's computer.
00:00
Settings and find your web mode
00:00
URL to access the VPN portal.
00:00
Login to the portal using Jack's user credentials.
00:00
The FortiGate unit performs the host check.
00:00
After the check is complete,
00:00
the portal should appear.
00:00
You may need to install
00:00
the FortiClient application using
00:00
the available download link.
00:00
Sign in to the FortiClient application with
00:00
Jack's user credentials for remote access.
00:00
Connect to the SSL VPN tunnel.
00:00
Select the bookmark Remote
00:00
Desktop link to begin
00:00
an RDP session with the Windows Server.
00:00
Ensure that you can successfully browse the Internet.
00:00
Then quit the Java Applet.
00:00
Then go to VPN Monitor,
00:00
SSL VPN monitor to verify the list of SSL users.
00:00
Thank you for watching.
00:00
For more information,
00:00
you can access Fortinet's documentation library
00:00
at docs.fortinet.com.