Basic SSL Web Portal Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good afternoon guys Mike here from Fortuna guru this video is going to be a back-to-basics that goes into some explanations of SSL VPN and the various different ways it's just going to be a run through I'm gonna have another video that actually goes into detail as to how to configure it and how to troubleshoot it as well the troubleshooting one will be more advanced but with that being said it's relativists it's not super complicated or anything like that so that's the cell VPN basically the best way to look at it is you're out about your remote and you want to be able to dial into your your headquarters or your home network you know whatever location the FortiGate is housed in and then gain access to those resources that are behind said device most common application is consultants that are on the road or maybe doctors that are bouncing around from medical institution to medical institution they have to be able to phone home to their headquarters to access files or servers or or anything like that that they keep it one specific location and of course SSL VPN uses SSL so it's it's encrypted in this secure don't get this confused with IPSec VPN if you're using forticlient or any of the other vendors like cisco anyconnect and things like that the end client is able to do IPSec but for the sake of having the most success you want to use SSL VPN because it goes out over 443 which means most you know hotel wi-fi's and hospital wi-fi's and things like that aren't going to kill it which means when your guys get on site they don't have to worry about being up the creek without a paddle right so general concept my laptop has forticlient on it I tell it to remote connect and if I'm doing split tunneling that means all my internet goes out my standard way from wherever I am I can still access resources that are local to that network or if the FortiGate administrator enables full tunnel that means all my traffic gets pushed through the VPN and logically and everything it looks as though I'm on that network only when you do full tunnel you lose access to local resources and things like that so just be wary of that gotchas for each of them is if you have if you use full tunnel you need to have SSL VPN to whatever resources you want to access but you also need SSL VPN to the Internet interface policy is built so that because your internet surfing is going to go through that route as well split tunnel is usually a little bit more lightweight and preferred for a lot of organizations the catch there is that if your central network and the network that you're on overlap as far as subnet space you can get some wonky behavior there so things to be wary of anyways I'm going to switch over to my screen now so this is the VPN section of a FortiGate and this particular gate is running code 602 and then what the area that we're going to be interested in mostly is the SSL VPN section so I'm going to come comb through these first things first is your SSL VPN portal this is where you create custom portals and whatnot for users or groups that you want to behave differently the ones that come in the box our web access tunnel access and full access so what full access means is that you they can use a forticlient they can connect in and access resources directly as though they're on the network and it's kind of you know it runs through tunnel mode split tunneling if you enable split tunneling you have to tell it what the local subnet is reason being is because whenever they can be in user connects it's going to install that route on their machine and say hey to get to this address space go out through your forticlient if you uncheck split tunneling and that's full tunneling which means that everything goes over just like your local to that machine ipv6 tunnel mode we're not going to cover that right now most environment still don't use ipv6 and it's to be honest ipv6 is a little bit more complicated for most people so we'll make that a more in-depth video so this tunnel mode is specific to forticlient connecting and full access gives people access to both tunnel and web mode so they have some flexibility there web mode is specific to people accessing resources through the portal page usually in situations like this you don't trust your end user to be intelligent enough or knowledgeable enough they're not stupid they just don't know right they're ignorant to the fact to be able to get to the proper resources so you want to streamline everything and make it easy so what on web mode you can give them a custom portal name things like that and for instance this is going to be Mike's demo portal and from my theme I want it to be red and for my bookmark we'll say for the Netcom now this is just for example good usually what you want to do here is you want to have internal internet websites accessed from here but that's just an example bookmark so that when we log in you can see it but you can show the login history so they'll get a little prompt that shows them we know when they were logged in and things like that and then you can even give them the ability to download for the client if they don't already have it now since this is full access obviously that makes sense you're not limited on the bookmarks you can do you know web Citrix if you're doing VDI or something like that the brilliance of the web portal is you tell your users to go to HTTPS you know VPN company comm and they have icons once they log in which are defined by these bookmarks right and it gives them the ability to access the resources that they should have without having to know how to use from a desktop or how to set up an FTP blog you know anything like that it just keeps it simple for your general users and of course the bookmarks are defined based on the user group that's associated with the portal so if you have accountants you just create an accountant portal with accounting bookmarks and you assign that group to it it's just it's so simple so this is my demo one it's full access you have to have policies set up so right now I have it told to listen to my outside interface which is when one and way into tied to it allow access from anyone idle logout you can make it actually kick people off whenever they're logged in require client certificate that's if you're using you know PKI or something along those lines that actually get people set up a little bit more information with regards to tunnel mode setting you can actually define what DNS servers users get whenever they connect so you might have DNS servers that are only available right to SSL VPN depending on how your segmentation is done so that might be a good idea and then of course you can allow endpoint registration for your forticlient now what I'm going to do is just say you know all users have full access no even better I'm going to create a user so users and device groups create a new group we'll call it SSL or we'll colorful access remember we'll create a user next call this a Mike create a password called Mike one two three continue continue and Abel will sign them - I was not created yet submit no know submit select them here okay cool that's my full access group it has my Mike user in there go back to the PN a portal full access that's configured exactly how it should be so under settings I'll just say you know create new if you are a member at the full access group you get the full access portal boom pretty straightforward right listen on this interface allow from any host I don't have to worry about assigning any real DNS servers here because this is just a demo but you know when we want to list your internal DNS server so that name resolution and things like that work fine and then full access users slash groups give them the full access portal okay because I'm using the built-in cert that's why I have all the ugliness up there and for the sake of this just create some policy and call it that's SL VPN in and it'll be SSL VPN to inside user full access to all resources oh no net okay it helps if actually put the address so on SSL VPN policies by the way you have to list not only the source address space but you have to list the group that's associated with it because all your policy is gonna be driven by that because obviously if they're a member of mechanics they don't need member of them to access this is my policy to allow that so now snatch this real quick this is my portal page I can launch for a client and login when I can't was Mike and I think my password was this boom I'm in it's red because that's what I told it to be Mike demo portal and and here's my bookmark now obviously it's not gonna work cuz it's not within my area right so um but you would build like your icons to RDP or to FTP or to your Samba shares and all that and then the person it they don't need for the client to actually access it which is beautiful and of course the end user can actually build their own as well but you could also take this away so that's a real quick high-level on SSL VPN use in web portal page portal is usually the most convenient especially for folks that are bouncing from device to device it keeps their bookmark centralized limits exposure to the resources because if they're tunneling in and their device has malware or something malicious on it and your host checker which is a completely another yeah but you can actually make forticlient scan the Machine and make sure it meets certain criteria before it allows them to connect to your network which is beautiful right but um you know something gets by that and bad stuff hops on your network because of the way your full tunnel was configured obviously you're gonna have a real bad time so web portal it does a very good job of mitigating a lot of threats while still providing the availability right and at the end of the day and this is probably gonna make a lot of security folks upset because by default security people want to cut access bare minimum right at the end of the day risk is a business decision not an IT decision if the organization says it's an acceptable risk to provide people remote access SSL VPN and SSL portals and things like that or a very very solid solution to provide the access that's necessary the availability of the CIA triad without you know nuke and integrity or confidentiality so you know obviously you build your security program around your organization and SSL VPN is an awesome way to get what you need so any questions specific to this please don't hesitate to ask below this is just a quick run-through I'm gonna do a demo on how to do a split tunnel of full tunnel and in a comparison of the two on the video so that you can actually get a real-life drill down but um it's powerful you guys all enjoy it so thank you
Info
Channel: Fortinet Guru
Views: 13,254
Rating: 4.8518519 out of 5
Keywords: sslvpn, ssl vpn, web portal creation
Id: dgFM-5k1h6A
Channel Id: undefined
Length: 14min 12sec (852 seconds)
Published: Thu Oct 04 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.