FortiGate v7.2.0 SSLVPN Configuration (Local & LDAP Auth)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys the nitric berg here hope you're doing well so another 40 net video and we will be diving into how to configure ssl vpn on your fortigate device now i love ssl vpn because it's such a quick and easy way to get vpn up and running and to get your clients to connect your network remotely there's various different ways that you can connect either using a browser or an actual client and there's ways to set up your solutions like you can use local accounts and groups on your firewall or you can even integrate your active directory with ldap to pull groups through to the firewall to grant access so it's pretty awesome and i'm going to show you how to use those common cases but i also want to point out and i'll make a separate video for it you can even integrate this with something like your azure um active directory and pull stuff over saml so you can integrate things like mfa it's really crazy like i really enjoy working with ssl vpn so much and it's definitely a secure way to connect to the network anyways let's get into the video and focus on how to install ssl vpn all right so i've got a diagram open that i created last night on draw.io again it's open source it's like visio but it's free so i love it but i just wanted to explain how we're going to use ssl vpn now in essence you will have a client and it doesn't just have to be the 40 client it could be over the browser you're connecting but you will be connecting to a firewall to establish this ssl session in order to access any networks that reside behind that firewall which is quite nice i'm more preferential to use forty clients because this establishes a tunnel between your actual machine and the firewall and then you can push traffic over the tunnel directly so that you can rdp from your machine without making use of the browser which is just more preferential for me but it's definitely not needed to connect that way now what we are going to be doing in this um let's say lesson is we will be setting up ssl vpn on our fortigate firewall we will firstly be using a local account and just be using that for access then i will show you how to create a group and assign accounts to the groups still locally on the firewall and then use that for connectivity and to restrict access based off of a group and then lastly i'm going to show you which i find very awesome we're going to integrate our fortigate with our windows active directory server to pull groups from windows to grant access so that if anybody needs vpn access a windows administrator can just put the user in the appropriate group and then the fortigate can just automatically start giving those people access because that group's been polled and already been allocated to an ssl vpn policy now there's a few things that you need to set up with ssl vpn namely there will be you need to decide the mode that people will be connecting on you need to actually set up the ssl vpn settings and then you can kind of just test connectivity so let's do that let's actually go on to the firewall and i'm just going to minimize here and here i'm on the 40 game let's just go to the status so that you can see it's kind of like the landing page and then the first thing that we want to do is go to vpn and we'll go to the ssl vpn portals i just want to explain what the portals do by default there's three separate portals there's a web access portal which will only allow users assigned to this portal access over a browser then you have tunnel access which does the exact opposite then people can only connect using the 4d client software but they cannot connect using a browser and then lastly there's full access which grants them access on either method now i just want to go into one of these um templates so that i can show you what's going on in them and what's nice is you will see there's something called split tunneling now what is split tunneling i'm just going to give it a brief run down but it allows you to separate traffic that actually needs to go over the ssl vpn tunnel because sometimes you don't want to push all of the traffic over the tunnel because it might be a waste of bandwidth and maybe you don't want to inspect all of the users traffic maybe you still want them to browse youtube over their local home connection but if they access the corporate resources that needs to go over the ssl vpn tunnel now split tunneling allows you to facilitate this where if you have it running then people will only be able to access whatever is being split tunneled towards the firewall or you can disable it and then all traffic will be sent over the firewall but this means that you need to set up the appropriate variable policies to allow users access out to the internet via the ssl vpn interface i'm just going to leave this as enable based on policy destination and all this means is if in a policy if the destination matches a specific ip or network then that traffic will be forwarded over the ssl vpn client then we've also got enabled for trusted destinations and it kind of just does the exact opposite only client traffic which does not match explicitly trusted destinations will be directed over the ssl vpn tunnel but we won't change anything there what's nice is we do have a routing address override and what is that exactly well many times when i speak to my clients i tell them hey i'm going to inject some routes into your client and that's what i'm doing here so if you click on this plus you can actually add whatever networks you want to inject to the clients so that it's always in the routing table to say hey if you want to get to this subnet or host it will be over the client just one thing to note when you do it this way a client will have to disconnect and reconnect before they receive the new routes so it's not like you can just do this in real time and they'll receive the routes maybe they do maybe they change it for 720 but i highly doubt it and then we've got a source ip pool now source ipool is basically just the ip addresses that's going to be bound to the ssl vpn clients whenever they connect now think of this as a range by default your firewall will always have this ssl vpn underscore tunnel underscore add r1 which is just a pool of 10 or so ips and address range to grant access for 10 ips now that for me is a bit small but if you are a very small business or is like just for your house or something then it should be fine but i typically create a new address object and just make it a slash 24 as a baseline because it just works a bit better now you've got a few other settings you can tweak but i'm not going to tweak any of these other settings we'll just leave them exactly as they are we're just going to cancel here we won't change anything what's nice is you can create new uh portals if you want to and you can set this up per client so this is actually more or less if you are multi-tenant and maybe you are also working with multiple virtual domains then you might use additional portals to separate which customer does what and what ip addresses each customer gets etc all right now let's go into the meat of it all the ssl vpn settings so if we go into ssr vpn settings firstly you need to make sure that you enable ssl vpn it should be enabled by default i think but i disabled it for the lab and we're just re-enabling it now and it will tell you also no ssl vpn policies exist if nothing exists which means it just won't work you need to have policies as well before anybody can connect on ssl vpn next up is listen on interface or interfaces now what does this mean well it's actually just how can people connect to this firewall let's say you had multiple lan connections let's say there was a one too you could just select the one two it will come into this list here and then people can connect on either interface for ssl vpn i'm just going to leave this for one because i've only emulated a single one connection here now you can set the listen port now the listen port is what people will connect onto whenever they want to access the ssl vpn service by default it is 443 which makes sense since it is ssl vpn but you might update it something like 10443 and then people will just use that additional port it will even reflect here to tell you hey if you want to access the ssl vpn this will be the url to get onto it and that will also be the same url you'll use on the 4d client to connect but let's leave it as 443 we're not going to change this and now server certificate now this is quite important because this is going to determine how valid your connection is and it's also kind of what's making ssl vpn work it's the ssl certificate associated with it so by default it is set to the fortinet factory and i am going to leave it this just for the demonstration however fortinet is nice enough to tell you hey you can get a certificate on let's encrypt and you can import that certificate and then use that as the server certificate or you can also purchase your own certificate on stuff like godaddy or namecheap or whatever and associate that to your domain so maybe you want to assign a a record called sslvpn.tmb.com or something then you could have a ssl search for that and then import that cert into your firewall and then use that as the server certificate for people to connect against all right now we've got a few extra settings we can set here what i like is restrict access you can either allow access from any host which means anybody can connect from anywhere on the internet or you can even limit access to specific hosts now what does this mean well it gives you this drop down menu where you can set exactly who can connect so maybe you only want specific source ips to connect or even better maybe you only want certain geo locations to connect so maybe only people from a specific country like the country where you're based so what you could do is add a new object i might call this south africa because that's where i am based and i've already created an object for it so i'm just going to edit this but basically there's an object called south africa i set the type to geography and then i just selected south africa here and now i can limit access to south africa so only people from south africa would be able to connect but i'm going to set this back to allow access from any host since i am emulating this from some weird private addressing and such so let's leave it as that then we have our idle log out now idle logout i've seen confuse a few people because since we've started many people working from home then you have this inactive for 300 seconds which is five minutes so let's say a user connects on ssl vpn and then they stand up and they go make themselves a coffee and then they come back and suddenly they're disconnected and then they're like oh man the vpn is terrible it keeps disconnecting and meanwhile it's just because the idle logout is set for like five minutes and then people are disconnected because they're inactive for that long so you can either just turn off the idle logout or you can just extend that to something a bit more but i tend to just disable that um just for my own sanity i'd say and now we get the tunnel mode client settings now here is the address range that i mentioned earlier but this is now globally for all ssl vpn connections so either it is going to use this pool or we can specify a custom ip range so i recommend specifying a custom ip range and then we can create our own ip range so i'm going to base it off of the same range that is used in this let's say pool so i'm going to create a new network and i'm going to name this [Applause] 10 212 134.0 24. that is going to be the ssl vpn range i will make that the entire subnet let's just make the name a little bit more descriptive ssl vpn range and hit okay and now we have the new object here of ten two one two one three four load zero slash 24 and i'm just going to remove the old pool as well and now you can also specify the dns servers if you'd like so same as client system dns means the client just retains their dns servers whereas you can also specify your own dns so that the clients receive dns from you now this is useful if you do have your own dns environment maybe users need to access shares that have been mapped on a name then you can specify your dns server in your corporation or in your environment and then people can connect that and then also use that for dns or name resolution but let's just leave that as same as client dns and last bit i want to show is the authentication portal mapping now this is how people can connect by default when you log in here this bottom one won't even be set i've already set this since i've already lab this and this has been set to web access but basically here is where you will be assigning groups for ssl vpn or users even but let's just apply the changes and let's actually create some users so that we can bring them into this mapping first thing i want to do is set up a local account on the firewall and just use that for connecting so i'm just going to create a local account it's a local user i'll give it the name of tmb ssl vpn and i'll give it a password and what's nice with 4dnit and they do recommend it is two-factor authentication and then you have two ways that you can connect you can use 40 token cloud or for the token and the tokens is actually like a physical i don't know if i'm going to reference world of warcraft because we used to get these battlenet token things and it's basically going to be like a physical thing that will show a code for you to connect onto or you can use the 4d token cloud which will basically be linked to an app that you can install on your phone and then you can receive the code that way but i'm not going to use the two-factor authentication this way i'm just going to use a plain note mfa or two-factor authentication needed so let's just go on account status will be enabled and i'll just submit and now we have a local account on the firewall named tmb ssl vpn but it's not doing anything yet so i need to actually associate this account with the ssl vpn and to do that i can go back into my vpn i can go into my settings if i scroll down i can map that account to a portal so i'll create a new mapping i'll say tmb ssl vpn just this user i'm going to map it to the full access portal and i'll hit ok now you'll see it's added the user to the full access portal i'll apply this and i also just want to go back to the portal go into full access reason being is i just want to update the source ip pool as well to the ssl vpn range that we specified so now that we have the settings and portals set up and also a user we also need to set a firewall policy otherwise we will see it will keep moaning about that so let's add a policy to say if anybody connects over ssl vpn so i'll just name this ssl vpn lan access [Music] and your incoming interface you will actually see there is an ssl vpn tunnel interface ssl dot root this is just an additional it's a logical interface uh that will allow people over ssl vpn to connect so i will just select that as the incoming interface and then our outgoing interface i'm going to select this as my lan my port 2 connection now my source i'm going to make this the ssl vpn range but we also need to specify a group or user so this is where you can bind access based off of a user or a group to certain resources so here i'm going to say tmb ssl vpn my destination i'm going to make this my land range so 192.1680 24 and then what i can do is i can specify some services so what i might add here is all icmp and maybe rdp i could also make it all but let's just be very granular or specific of what type of access we want to allow so i'm going to say icmp and rdp to the lan network i'm going to allow for tmb ssl vpn i'm just going to leave this as flow based inspection i'm going to disable nat because we do not need to net the traffic and i'm just going to leave the policy enabled i will hit on ok and now we have this new policy that's been created to allow access from that vpn account to my lan network for icmp and rdp if i go back to the ssl vpn settings we'll see it's no longer complaining that there are no policies and now what i can do is actually connect using 4d client now if you don't know how to get 40 client you can just google it for the client and you can just go into the 498 website and if you scroll down there's the 4d client the one edition but i just want to use the 40 client vpn only because this is the one that you don't need to pay anything for it's just for ssl vpn or ipsec vpn so you can download this for your operating system of choice and then install it and then you'd be able to connect on a tunnel basis using ssl vpn so let's connect on to 4d clients i will just open this up for my system tray and i can just click on the configure vpn button and now we can give the connection a name and i can say that this is ssl vpn you can configure this for ipsec vpn as well but i'll make another video on how to do ipsec dial up vpn so let's give the connection a name and this will be tmbe dash home remote gateway will be the address of the fortigate that you're connecting to on its listening interface so in my case this is 100.64.255.2 i'm not going to change the port here because it is on 443 but if you use the different port you just select customize port and then you specify the port that users are connecting on you can set this up for sso as well but this is more or less for saml integration with stuff like microsoft 080 we won't be doing that in this video i'll create another video for that as well but we can just maybe set it to save the login and then we can give it a username and for me that was tmb ssl vpn i will save this and now we have this front end we can log into so i can type in the password and then i can click on connect and my ssl vpn should connect so i should receive an ip address from my 40 gate which is 10 10.212.134.1 which is awesome i can see my uptime and i can see how much traffic is actually passed over the tunnel so let's quickly test and see if i can access my lan subnets that's sitting behind the firewall so what i can do is open up command prompt and let's quickly see can i ping 192.168.0.2 which is a windows 10 vm sitting behind the firewall and i can get to that now let's actually test and see if i can rdp to that so let's open up remote desktop and i will connect to 192.1680.2 click on connect and i'm just going to use different connection credentials here i'll just set this as localhost and i will log in as tmb windows 10 client which is the actual username on that machine i should have actually made something smaller or shorter and i'll log in with that user's credentials i'll click on ok and i should rdp onto that vm now and here i can see i was able to access the vm over rdp via ssl vpn so this is awesome so now i can securely access my servers if i wanted to because let's say this was a server then you can get to it over a vpn client without any hassle without people doing weird direct nats from the internet to a server because that is when stuff starts to get a bit dicey all right so this is just basically for a single user account so let's change this up a bit on the firewall we can still use local accounts however instead of having each user being defined on a policy then let's create a group that can be used on the policy to verify what type of access the whole group can have so let's go back onto the firewall and what i can do is go into my user authentication and then with the user definitions you can see that this doesn't belong to any group currently so if i go to user groups i can create a new group and i can just call this maybe sslvpn-local for all of the local accounts on the firewall and then i can click on this member button but i can specify which members are part of this group so i will say tmb sslvpn is a part of this group and now any additional members that i create i can just assign to this group and then i can use the group for an entire policy so instead of having to put in each user for a policy i can just reference the group so that the whole group has access which is nice so i'll specify the group here and i'm just going to go into my vpn settings quickly and i'm just going to update this portal mapping so instead of this just referencing the single user i will now reference the entire group i'll hit ok and i'll just update my firewall policy for that as well so that the whole group can now have access to the lan network instead of just tmb ssl vpn so let me edit and this is also quite nice about fortigate and this is quite reminiscent of something like checkpoint you can just edit the details from this front and here you don't need to double click on the policy to change it so you can just click on the edit button and then you can change stuff like who the user is so here i might just unselect here tmb ssl vpn and i'll select ssl vpn local and now that whole group will have access to the land network and we can verify that we still have access just by running another ping again i might have to disconnect and reconnect though so let's just try that um i see my rdp is still live so let's just disconnect reconnect see if that actually gives us the appropriate access so disconnecting and let's reconnect tmb123 connect unable to establish vpn connection a vpn server might be unreachable let's just make sure i can still get to my server 64. okay so that's still fine [Music] oh i didn't save the settings that was really silly of me so let's just update it again apologies for that let me stop selecting everything else and there we go okay let's try again that's probably why we couldn't connect just now and i see the connection is going through now so let's minimize that and let's see can i ping my lan i can and let's see if the rdp is working it should just reconnect but let's just force the connection remote desktop connection uh let's see if this just takes it like this there we go all right that's fine so we are still back on the client and everything still works fine it's just i didn't reference the group in the portal mapping or i actually didn't click apply which is silly of me all right so this is going to be how we just set up stuff locally on the fortigate firewall let's look at integrating some ldap so to integrate this for ldap what we can do is go to our user and authentication and we can click on the ldap servers now this is where we can create an ldap connection to our active directory and i'll click on create new i can give it a name so this will be tmb dash ad server ip or name would either be the ip address or fkdn of the server in my case this is 10.128.0.200. serverport depends on your ldap port which is by default 389. your common name identifier will be cn however i will be updating this to sam account name because that is just kind of what windows servers use as default so we'll make it lowercase s am account name distinguished name i'm going to leave blank because we're actually going to pull this off of the server directly and i'll show you how we can do that but for now we can just click on test connectivity to see if it actually is successful if ldap is being allowed that's not being blocked by the file on the remote server perhaps so here i can just set the bind type to regular now i can type in a username and this will be my domain account so this might be tmb home backslash and then i'm going to use the administrator account however it is definitely recommended not to just use the default admin account you should probably create a new 40 gate account and give it stuff like domain access and then use that to authenticate with now our password will be whatever the administrator account uses to log in with and i'll test connectivity and it's still successful so that's great now how do we get the distinguished name well i can just click on this browse button and it will pick up all of these objects that ou's and stuff so i can just click on the top root one click on ok and then it falls in dc equals tmb home comma dc equals local so it's tmb home dot local which is perfect i'll click on ok and our ldap server has been added now i can actually leverage the ldap server to pull groups off of it so if i go to my user groups i can create a new group i can call this sslvpn ldap and at the remote groups you can actually now click on add and you can specify a remote server which will be the ldap server we just created i'll click on this and then from here i can actually see all of the different types of accounts and groups and stuff that's been added so let's create an ssl vpn group i actually see that i already have one so let me go on to that windows server and on the windows server ah perfect i've already got everything in place already so we've got an ssl vpn user group and then with this ssl vpn user group we have an account so this is just an active directory active directory username that people would just use to log into the org with and in my case this account is tmb.yt for youtube but think of this just as the user name and what makes this nice is now people can use their actual credentials to log on to the ssl vpn without you having to change stuff the whole thing times and they'll know what their password is and if they need to reset stuff it's just one big pain or place where you need to do everything now so this is awesome so tmb dot yt this let's just make sure this is in the ssl vpn group which it is so we are a4 okay now this is perfect if i go back to my 40 game i can actually now just the ssl vpn and there's the group i can just select it right click it say add selected hit ok and now we will see it will reference that group name so now any accounts on my active directory that's associated with that group will be able to authenticate so let's do the same thing as earlier i'm just going to add that group to my settings i'll also add it to the full access portal so i'll just plus this add it to the full access portal click on apply and let's do a different thing now so what i might do is i'll create a new policy ssl vpn access dmz i'll call this and now this group i will allow access to the dmz so i'll say anything from the ssl vpn tunnel interface going to my dmz my source will be my ssl vpn range and my user will now be the ldap users my destination will be the server's ip in this case 10.128.0.200. and the services i will allow let's just say all just for demonstration purposes and i'll turn off nat again because we don't need to net the traffic because it's kind of like from my vpn client to the actual server so let's hit okay and perfecto so let's test this out and see if this actually works so i'll disconnect from my tnb home connection and we will just reconnect as tmb.yt so i'm just waiting for this to disconnect so let's login as tnb.yt and my password is whatever i set the password when i created the account on the active directory i'll click on connect it's connecting that's very promising the moment you see it hit like 90 you already know the connection is pretty much there and i've connected with my active directory username this is awesome now let's see how what my access looks like here let's see can i still get to my lan and the lan fails now but it should fail because i haven't allowed access to the land from this group however i did allow access to the dmz which is 10 128 0 200. and let's see can i ping that that i can ping so this has been configured now we've got ldap authentication with our ssl vpn as well so this is just two of the very common ways that you might see people integrate and use ssl vpn on their 40 gates but it's really amazing to see how everything just kind of works together so i'm going to end off the video here because if i extend this to stuff like saml and even more stuff that you can just add on top of it it will be a crazy long video but at least you now understand the basics of how to configure ssl vpn and how to set it up as local versus ldap authentication i hope you've enjoyed the video and i'll catch you in the next one bye [Music] you
Info
Channel: The Network Berg
Views: 20,891
Rating: undefined out of 5
Keywords: #FortiClient, #FortiGate v7.2.0, #SSLVPN, #vspds, fortigate firewall tutorial, fortinet, fortinet firewall tutorial, network berg, pfsense setup
Id: 9Onm63xhgGg
Channel Id: undefined
Length: 30min 54sec (1854 seconds)
Published: Mon Aug 01 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.