Redington & Fortinet-FortiGate IPsec VPN:Site-to-Site &Client-to-Site Webinar Session-1st April 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning everyone thank you so much for joining the session today we have Josefa our pcs consultant from Reddington value who will be running you through the recession we hope we will provide you all the information required and we have a Q&A at the end of the session to answer all your queries who Zephir you can start the session thank you for being present so in today's session we'll have a live demo of the IPSec VPN so IPSec VPN is used in FortiGate for side to side and client to side both so we'll be having a look at both you know site to site inclined to side I Pacific VPN will go through the configuration ok step-by-step how it is how it can be configured and we will see a live demo so first we'll go through site to site VPN then we'll also have a look at client to site VPN with two-factor authentication enable so we will enable two-factor authentication we'll use 40 token we will see how it you know it is used and how it is integrated or how it can be rolled out to mobile devices so we will have a complete look and feel of the IPSec VPN client and in in the current situation VPN is you know a very high highly required feature because of the work from home situation and on top of that to make work from home more secure we have two factor authentication so we'll have a look at side to side and client to side both now right to site VPN give you a brief about my setup first okay so site to site VPN is used to connect to offices for example a head office and a branch office or two branch offices or basically any two sides so a side-to-side IPSec VPN can be established between any device it can be forty eight to forty gate it can be forty gate to any third party firewall or router okay so IPSec is a standard protocol and it can be established with any third-party vendor so I will just give you a brief about my setup so so there are 240 gates which will be connecting the site to site VPN there is one local 40 gate and there is one remote 40 gate so local 40 kids when IP address is okay and remove it for tickets when I pee is 10200 3.1 they are in separate networks I also have a Windows machine too which will be connecting the devices so IP address of local windows is 1001 dot 10 and remote windows you is 1002 dot ten okay so our aim is to connect a remote Windows to local Windows system via IPSec VPN site-to-site and client to site okay so first we will see the site-to-site VPN so I will keep this information open for reference okay so now in 40 gate 6.2 so here you can see the 40 gate is running on firmware 6.2 okay and the IPSec VPN or SSL VPN or in general the whole VPN module s3 of constant okay so if anyone says that I want to purchase the VPN client licenses no we don't have okay so it is available out of the box so there is no additional cost for VPN if you want to factor authentication only thing you have to purchase is 40 tokens so if there are 50 users going to connect via the VPN so you will need 50 40 tokens apart from them apart from that the client to site VPN or the 40 client is completely free of cost to use so there is no additional cost to it so now we'll go to IT sec VPN so we'll go to VPN IPSec tunnels then we'll say create a new tunnel so as soon as we say create a new tunnel it will open itís a VPN Vizard so through a wizard if you are you know accustom to the settings if you have all the information readily available what is the local subnet what is the remote subnet what is the preset key if you have all the details available trust me you can bring the VPN up in less than five minutes okay so I am NOT going to rush through you know through the VPN settings I will explain you each and everything what it means what should you you know enter in that particular field but once you have done it a couple of times and you already have all the information available to create the IPSec VPN tunnel on FortiGate it will take if it is forty gate to forty gate it will take less than five minutes on both the sides okay so within five minutes the VPN can be up so we'll just give a name we'll say it VPN to a remote site okay and it's a site-to-site VPN so we'll say whether are there any nad devices in between or are there any night devices in front of the FortiGate we can say this site is be behind that or there is no net behind devices okay so what this option does is basically it encapsulate the I the IPSec protocol or you know ESP protocol that is used in IP SEC with UDP so to go in more details IPSec is a bundle of protocols okay it works on various protocols one of the protocols is ESP encapsulation security payload okay so ESP works on IP protocol 50 so if you know that TCP works on IP protocol six UDP works on IP protocol 17 then you have port numbers right HTTP is a PST TPS HTTPS is 443 so for each service there is a protocol number either TCP or UDP and a port number right but ESP which is used in IPSec is just a protocol number it does not have any port so it is simply IP protocol 50 it does not have any port so if there are any net devices in front they don't understand this particular traffic they they will be expecting a port number for it to be translated and it to be sent ahead so if your fire are all devices are behind a device that is doing NAT ok network address translation who is translating the IP addresses then you enable this option that this site is behind NAT ok if you give this option for FortiGate basically encapsulate the ESP packet that is IP protocol 50 with a UDP for five zero zero port so that it can be understand by the NAT devices so basically if you just keep this enabled as you know as a security thing also it is fine okay because it will just encapsulate the ESP packet so even if you do it as a precautionary setting it is fine then you select the remote device type that is 40 gate and Cisco now many many partners come back to us that does this you know VPN only support 40 gate and Cisco no it's it's not it's incorrect so forty gate and Cisco we have ready templates we have ready templates available for both test device so it does not mean that you know you cannot establish the VPN with any other firewall apart from four together in Cisco you can simply instead of using the template time you can simply go custom okay but what I suggest to partners is that even if the firewall is even if the remote side has another firewall for example a sonic wall or a checkpoint okay still use the template I will tell you why so the template or the wizard okay creates not just the VPN settings it's also created the policies and the routes okay now whether you are establishing the VPN with SonicWALL or checkpoint or any other firewall you will need policies you will need routes correct okay so the wizard automatically configures all those settings so what I suggest is you use the template you use the wizard okay once the VPN is created you can just tweak the settings as per SonicWALL or s per checkpoint no need to then go fully manual creating fully manual VPN settings manual policies and routes okay so in this case we'll say they're a most remote device type FortiGate will give the IP address of the remotes remote 40 gate so it will say and to connect to the remote for ticket so the van IP of this is 10 200 3.1 it automatically detected that 10 200 3.1 is reachable by a port 1 which is my van interface okay so port 1 is my van interface so I will just give a random pre-shot key I'll give it as fortunate okay fortinet one two three my local interface so what after creating the VPN what is the remote site going to access so it is going to access my local subnet or my server subnet so whichever interface is connect to that connected to that you select that it automatically detected that the local subnet is 10 0 1.0 which is my local windows ok so this is what we are trying to you know be accessible via both the sides and the remote subnet so remote subnet we have to mention 10 dot 0 dot 2.0 so the remote office or the branch offices subnet ok so you have to mention what is my subnet which is which is going to be accessible over the VPN and what is the remote subnet which is going to be accessible over the VPN do you want also internet access over the VPN I said no we will use our local when I don't want the Internet traffic to go over the VPN so we will just say create now when you when you see create and see the objects that it has created it has created we'll just go through all of them see here it has created an object VPN to remote local subnet it has created an object VPN to remote remote subnet it the wizard has also added these particular addresses in the groups okay so if you have multiple subnets you can also you know use it as groups then it has created a policy it has created two policies for two-way traffic or traffic initiating from both the ends from my subnet and from remote subnet if there is any traffic initiated so a two-way policy so you can see a policy has been created from port 3 to VPN or you can say local LAN 2 VPN and VPN to local LAN so you can see it's a two-way policy with all the settings enabled plus it has also created static route okay so it has created a static route and a black hole road black hole road means apart from the mentioned subnet nothing else should be passing through this VPN so we have mentioned that apart from this particular subnet which is ten dot 0 dot 2.0 nothing else should go by the VPN okay so everything is created automatically so here you don't have to do anything so only thing just use the wizard apart from that all settings are configured by the wizard so if you if you see just three screens just a couple of information and you are done on your end now we'll move on to the second side so before that I just want to show we will just from our local windows we are just going to ping the remote Windows machine so we can see that the local from the local windows the remote Windows system is not yet reachable so now we'll go to the remote 40 gate will configure the VPN on the other side so again we'll go to IPSec tunnels say create new it goes to the IPSec wizard will say VPN to local site-to-site we will just say the site is behind net it does it will not make much of a difference and then we'll say FortiGate here remote IP address so here we are asked the IP address of the remote site the van IP address so here will give the van IP address of the local FortiGate which is the remote FortiGate for this particular firewall and it automatically detected the van interface through which it is connected preciate key will give the same pre shared key and our local subnet so on the remote side the LAN interface is on port six you can see the port six IP address ten dot 0 dot 2.25 4 which is the gateway for the remote Windows 10 dot 0 dot 2.10 so we'll say the local interface and what should be accessible by the remote side and the remote subnet what this FortiGate or the users on this side what subnet they want to access so it will be ten dot zero dot one dot one dot 0 slash 24 and same will just say cleared ok now the V pian is created on both the sides so we have a VPN monitor so here if you can see we have a IPSec VPN monitor so you can go here you can bring the tunnel up so if there is any traffic it should automatically come up in a couple of minutes or a couple of seconds but if you want to bring the VPN manually up you can do the same thing you can do it manually also you you and just verify the settings again you you you you and say we will go to the remote 40 gate you'll go to the remote windows you you you okay so we are able to ping from the remote windows we will just see you okay dot ten is correct you we'll try to so you can see that the traffic is coming up and from the ipsec monitor we can see the data is being transferred okay just try msds see you you you you just try msds see okay so you can see that I'm able to communicate through the VPN to the other side we'll just check the settings just a minute you okay we'll allow more desktop you you you you so here we'll try again the remote windows had its firewall up so we'll just confirm once again okay so the VPN is up and working fine we'll also try MST SC again say it's working so the only thing was the firewall was up and the VPN and the remote desktop was not on on the remote side so once it's done it is you know it is fine and working fine you can as I mentioned you can monitor the VPN you can bring it up and down okay you can bring down the VPN from here but IPSec VPN usually keeps Auto alive on so after a certain time it will be up again so here we can see now as soon as the VPN was down we are we are no longer getting we get a request timeout and as I mentioned IPSec VPN uses keeper life so after certain time it automatically brings up the VPN you can see it here okay so if the VPN is done the connection will break so now we will test two-factor authentication and client to site VPN so if you have any queries regarding site to site VPN just you know we will take it up in the Q&A session so just let us know if you have any queries now the next part when we move on to a client to site VPN but before that I will just remove the setting so that it does not interfere with you know of a configuration of client to set because both you know both VPNs will be connecting the remote Windows to local Windows so we will just make just to make sure we are removing the configuration so that the VPN goes down so we are just removing the configuration from both sides so we'll what we need to do is to remove the configuration we need to delete the VPN policies we need to delete the routes then we can delete the VPN tunnel okay so we will do the same thing on the remote side also on the local FortiGate also so we'll delete the policies will delete the routes you okay and then we'll delete a VPN you okay so now we'll try this once again so we'll try it from the remote windows we will go to the remote windows system from here now we'll try whether we are able to connect after the VPN is deleted can we connect or can we reach the local windows no right so our VPN is deleted completely now there is no reach ability between the remote FortiGate or the remote windows and the local windows so now we will try to establish the connectivity using climb to site VPN so again now if you want to create client to site VPN we just have to create it on the local FortiGate okay so again we will just go back to a local 40 gate we'll say create a new IPSec tunnel and then we'll say create new IPSec tunnel and then here if we say a remote-access instead of saying side to side we are sitting remote access and we are saying remote mode VPN okay it is client based and whether you are using a native client for iOS Android Windows or you are using a 40 client or the Cisco client so your I will say client based forticlient again IPSec is a industry standard so it can work with any VPN client okay whereas SSL VPN is vendor specific so it might happen that SSL VPN client and cannot connect to other other vendor firewall yeah so in that case it has to be compatible but IPSec you can use the cisco client to connect 240 gate IPSec VPN it shouldn't be an issue next we will select in connecting interface incoming interface so VPN policies are incoming policies right from van to LAN so we will select our incoming interface as our van interface which is port 1 again Priesthood key will mention the same preset key for tonight 1 2 3 and will select user group ok we will say create new user group VPN users ok we will add a member I have already created a user user 1 ok so we will say add so this is created we'll just select VPN users here so in the first settings if you see in the first initial settings you just have to type a name select the template type weather side to side or client aside our remote access so it has multiple name it can be called as remote access VPN it can be called as dialog VPN it can also be called as client into site VPN so all are basically the same then here you select your van interface you mentioned appreciate key and you mention the VPN users ok which user group is allowed to access this particular VPN we say next then once the VPN is connected what should the remote user access we will say he will access our LAN interface and our land subnet which is say yeah local subnet one which is ten dot zero dot one dot zero so we'll say the remote client when he connects he will access our local subnet that his ten dot zero dot one dot ten okay client I address range so this is very important so client IP range is the range or is the IP address that the client will get so in in a typical scenario client to site VPN will work for users who are working from home or who are traveling right so they will be connecting using their own van so what forty gate we'll be seeing is van IP address okay and the client IP address keeps on changing right every time you connect you might have a new public IP so it keeps on changing so the client can reach on the server but the server cannot reach the client okay if the server initiates a communication to the client he will not be reachable because the IP s change you know again and again so we are what we are doing is when the VPN it's connected we are saying please assign this particular IP address to the client so we just have to give a reading so this range I can give is ten dot 0 dot ten dot ten to ten dot 0.10 dot t-- okay so this is my flight client range or better i can go towards only differ different subnet once one dot c-- 1.10 to 192 168 1.50 so this will give me a total range of approximately forty clients okay so forty users can connect so if there are more users connecting you can increase the range 190 users can connect and so on so whether you and when the system connects what DNS settings should it get whether you should it should use its own system dns or whether you want to specify i say please assign him this particular dns okay enabled split tunneling and I'll say allow endpoint registration disabled so we don't need the 40 client to register with 40 gate okay so it is for a different purpose compliance sharing and telemetry so people enable this and the 40 client gets registered so in older firmware 6.0 and before 40 gate and 40 client used to integrate together and for compliance and telemetry sharing so by default FortiGate had 10 licenses for it now in 6.2 it is completely removed okay it usually integrates with the EMS so now the endpoint registration was enabled the the end the 40 clients used to get registered with the 40 gate which you know and the licenses there are the compliance and telemetry licenses used to get full the free licenses which we get is 10 so partners and customers used to think that they for VPN they have only 10 licenses which is not the case this is for a totally different purpose so if you are just using the client the 40 client just for VPN you are not enabling endpoint registration you can use it you know till the box reaches its capacity or till the FortiGate reaches its capacity okay now split tunneling is a very very useful feature so if the client or if you don't want the client to even send his internet traffic over the tunnel so whatever if whatever he is doing like Facebook or YouTube he will have his own internet connection he will connect the client and that tunnel or the IPSec tunnel which is established will only be used for corporate traffic or for private traffic public traffic whatever he is doing Facebook YouTube will not go inside the IPSec tunnel only the corporate traffic which is destined to your address which is mentioned here will only this only will be sent to the tunnel otherwise it will be not okay so if you disable this split tunneling means as the name suggests the tunnel will not be splitted that means all traffic whatever whatever traffic is being generated from your laptop or from your client everything will be sent over the tunnel even internet traffic so if you in if you disable split tunneling on your FortiGate you will have to create a policy from VPN to ban because now the van traffic or the internet traffic will also come to you so you need a particular policy to allow that particular traffic so there should be a policy not from just VPN to local network there should also be a policy from VPN to when to allow the traffic but this particular setting is usually kept enabled so your IP SEC tunnel is a secured channel so only send the corporate traffic or private traffic over the tunnel will say next what options do you want the client to have save password or to connect or always keep up a look always up keep alive so we'll just say create okay so as we see it has created all the VPN settings that are needed for us okay it has created a policy from remote VPN 203 this is the remote VPN range without is dynamic in this case so there will no there will be no route but when the VPN connects automatically the FortiGate adds a dynamic route so we will see that also so now the VPN visit part is over on this particular FortiGate so we can see the VPN tunnel the VPN dial-up tunnel is created it is inactive because the client has to initiate so the client has to connect to the server but before that will enable two-factor authentication on for our crime so by default by default whichever FortiGate you buy even if it's a VM or hardware based you get to mobile tokens free okay you get to mobile tokens free of course to test so if you want to test it out you can do it so I as we see we have two tokens available so what we'll do we'll go to user user one will say enable two-factor authentication authentication type 40 token and then we'll just say we'll just assign up token out of the two which are enabled so if you're 40 gate is integrated with SMTP for SMTP server or there is a SMS gateway you can also send out the activation code for the 40 token over the weep over email or SMS so as you can see you can add additional information under the user you can add the email address and also you can add the phone number okay so if you have integration with email and SMS you can send out the authentication or the activation code needed on the 40 token on the client-side okay so you can send it out directly or you can just go to just go to the CLI and say config user 40 token show full configuration and you will see the activation code the activation code is only visible from the CLI so we have we have used this token which is six nine one two eight so here is the activation code now I will just copy paste this okay you you so this is token and I'll go back to my PC okay this is my laptop and I have my mobile screen which is displayed here okay so you can see that I am downloaded 40 token mobile app so I will just go here and you can scan a barcode or you can enter manually so I will say enter manually I want to enter the activation code manually so this is the 40 client app as you can see so nothing has been configured on the 40 token mobile app as of now so we will say enter manually will select what is the token type it is for tonight will enter the user name and user name and will the court [Music] okay this is the activation code I will put it here e e IP q q y n H 3k i vn6 okay this is the activation token so okay the token is active now okay so I think it's a security reason so I can see the token on my screen okay but the token the screen is not visible here due to security reasons it is not mirror okay so I will just minimize the token so here you can see as soon as I click here the token is visible but it is there on my mobile screen so it is fine so it is just displaying six digits okay so the whole point of you know showing this was the activation method so it is pretty straightforward the activation is pretty simple you just enter the activation code of your token that set finish and then you will see a six digit code on the screen so I will also type this you know the the code just to verify with you so now we are done with the 40 token assignment we are done with we are done with the FortiGate configuration for the IPSec VPN now we'll go to the remote windows and we will configure the forticlient for IPSec VPN so we'll say remote access we will say add a new connection so IPSec you select IPSec VPN will say removal to bpn whatever name we want to put we can put it remote gateway so we know the remote gateway is 10.2 hundred or 1.1 which is the IP address and then our pre shared key for alternate one two three an authentication will say exhort prompt on login all the default settings should be fine because we are using the template so that's it the VPN is configured now we'll try to access so the user is user one the password speed the rate connect you you okay so yeah you can see when the username and password is correct it shows or it asks to enter the 40 token code so I will just for your reference I am writing down the six digit code that is being displayed on my phone so just mention it here so this code will expire in one minute okay as you can see here so as soon as the code was entered the VPN got connected so we'll just we'll disconnect okay we'll say connect now the token has changed to one five zero three one four now tell again ask for a token okay we'll enter some random numbers incorrect numbers and then we will see what happens it does not accept so as soon as we enter the right token the V pin gets established and connected and now main thing is to verify the connectivity between the remote windows and local windows but before that we will see what IP address this particular client has received okay this is the clients main IP the LAN IP and here you can see can you see the this particular IP address 192 168 1.10 so this has been received from the VPN tunnel okay this is the IP address that we set in the client range 192 168 1 dot ten to one dot hundred also open em stsc ten dot zero dot one dot ten connect okay connected everything is reachable now our work is done we'll just say disconnect well disconnect the VPN and you can say you can see the pink stopped okay so this is it guys and what more if we want to test it again so tell just a couple of minutes more then we'll go to the Q&A session so the VPN is established and we can see the ping is up again so go from here from the FortiGate you can see the VPN monitor you can see the IPSec VPN monitor and you can see the dial-up connection which is up okay you can also see the routing monitor you can see there is a route pattern for this particular IP address so this route is automatically added in case of dialog VPN connections so automatically it can say the network is 101 situated 1.10 this is the IP address that was received by the client now if we don't want this client to continue access so we can just say you bring down the VPN when we can terminate the session so we can see what happens on the so the ping stopped because the VPN got terminated okay so that said guys for the demo so you can see you saw that how easy it is to configure IPSec whether it is side to side or client to select we also saw the 40 client token how to assign it on the mobile device so any queries let me know you do we offer any queries you you you you Josefa I think that there's a question on the Q&A chat can you look at it yeah yeah okay so bindiya one of the queries is can we get the recording of this session so we'll be able to pass all this recording not the new section to published okay publish section okay so can we can you the first question is can you let me know for dialogue VPN maximum how many user can connect at a time device is 50 II so you know we have data sheets available for each and every model okay so you can just refer to the data sheet so there is just you know share the product matrix so which will be you know which will be more useful so if you can see the screen so here you can see for 50 II the question was for 50 II so here you can see maximum client - gateway IPSec tunnels it is 250 and concurrent SSL VPN users recommended users are 200 okay so here we can see that we have a limit on the number of users but usually the limit is so huge that it does not you know it is very difficult to reach that many users so for example if you have 250 useless you are not going to use 50 probably you are going to use a bigger device 100 or 200 series and if you if you see for 100 or 200 series so IPSec VPN tunnels it is sixteen thousand and ten thousand respectively and conquer and SSL VPN connections five hundred okay so five hundred also is good enough so SSL VPN users you know the configuration or on the client side there is not much configuration so people prefer SSL VPN but Kissick VPN gives you more throughput and the number of concurrent users are also more so now we will move on to the next question so just refer to the data sheet okay what is the difference between site to site and hub-and-spoke there is no difference between side to side and hub-and-spoke so haben spoke is a topology of connection so in haben spoke there is one central head office and there are multiple branch offices okay so each branch office establishes a side to side connection with the headquarters there is no site-to-site VPN connection or there is no VPN between branch offices so if they want to communicate from branch to branch they have to go via the hub or the HQ so hub-and-spoke is a topology so haben spoke is multiple side to side VPNs from branch to HQ so next moving on to the next question how can I restrict access for remote client VPN from office laptops only and not from any home pcs also can you please let us know how does 40 telemetry integrate with remote VPN connectivity and do the compliance checking ok so if you want to use this particular feature I would suggest you know you use SSL VPN in this case so SSL VPN has a lot of hosts check mechanisms it can check whether a 40 client is running or not on that system so it has host checker antivirus so not just 40 client it can check for any other third-party antivirus also for if you want to make sure that they only connect from the office laptops and home laptops then in SSL VPN you can also mention a MAC address whitelist so you can just take any MAC address from that office laptop and put it in the whitelist so only the laptop connecting 40 client using 40 client to connect has that particular MAC address only he will be able to connect any other laptop tries it will not authenticate it will say host check failed even if the user puts all the right settings enters the right credential still the VPN will not be established if the MAC address will not match so if you want to make if you want to do hardening of VPN or hardening of you know you know the client then better is to use SSL VPN because it has the MAC address whitelist and also the host check mechanism can we use time DNS as the remote gateway yes we can use time DNS so instead of IP address when you're configuring client to site or fortigate side to side you can use dynamic DNS so there is no hard and fast rule that you have to use a IP address you can use dynamic DNS yes can we provide any IP range or same as local LAN range so you can provide any IP range you can use any IP range of your choice for VPN there is no limitations in that but usually when you are using VPNs it is better whether it's going to side or side to side it is better that all sides have different different IP address range okay so avoid overlapping IP subnets will take a couple of more questions so when there are three client to side connections connected and active can client one access client three you can make it accessible okay you can make it accessible but I would prefer again SSL VPN for that okay IPSec you can see the route is only available for that particular subnet on which basis I should go with IPSec and not the SSL VPN because mostly for client to side SSL is preferable so as I earlier mentioned for a client to side you can use any VPN whether IPSec or SSL so it is totally your choice in in cases very you have to go with IPSec VPN is you are using a Native Client okay or you are using any other VPN client apart from protocol and then SSL might have some compatibility issues because SSL VPN is vendor specific IPSec VPN is an industry standard so in cases where you are not able to use the native VPN or you are not able to use the 40 client you can go with SSL or IPSec sorry SSL is of course preferable because SSL is slower okay SSL is slower than IPSec IPSec encrypted graphi or IPSec encryption is much more faster that is why is I gives more throughput but why people prefer SSL VPN is because of its simplicity because of its you know less user interference so there is not much configuration required on the client side so I think Vindhya can confirm we are also having a session on SSL VPN configuration with two-factor authentication so if you want more information about SSL VPN you can join that session also yes definitely you will be sending all of them an invite with all the series of webinars will be hosting throughout the month so once you'll have to invite your can register for any session you would like to attend okay so I think we we can take a couple of more questions very quickly so how to add a restriction to every user this is I'm not sure what this clearly means I this question is not clear what our troubleshooting commands for side to side VPN so troubleshooting commands there are a couple of commands so one is diak sniffer packet so you can use that command diox nifer packet and there are some additional fields the interface the filters and everything so diag system for packet is very useful to see the flow whether the traffic is moving to the IPSec interface or not if you have issues with connecting the IPSec VPN then there is a command diag debauch application i ke space - one so diag debug dyke space debug space application space i ke space - one and then enter and then enable the debug by diag debug enable okay so that will give you each and every step each and every step that the FortiGate is carrying out to establish the VPN so if there are any issues in between it will tell you where exactly is the issue what is the difference between site-to-site VPN and SDM this is a totally different topic and it will take a lot of time to explain so the last question is can we configure Hubbins flow through dynamic DNS yes we can configure hub-and-spoke through dynamic DNS so the hub site can have dynamic DNS the the branch site can have static IP or vice versa or both sites can have dynamic DNS is completely fine okay we can establish a VPN even from 40 gate to 40 gate if one side does not have any public IP leave aside dynamic DNS it is behind a market it is behind a router or a modem and the van IP of photogate is a private IP connecting to the modem so in that case also we can create a dialog VPN from 48 to 48 so there are a lot of options there is a lot of flexibility so if you are talking about any particular architecture whether it will be achieved or not the answer is yes so most you can say all of the topologies all of the architecture can be achieved through Estevan and through VPNs so I think we have taken a lot of questions so how to restrict a user from accessing all the subnet so this is very very straightforward so in the policy you mentioned the whole local subnet ring so instead of that you can make the destination very very restrictive you can just say ten dot zero dot one dot ten and only accessible via HTTP or RDP or so you can restrict the access you know to one single IP to one single port also so it can go to that particular granular level so you just have to edit the policy so instead of using the whole subnet you just use a specific IP and a specific port in the policy that stick so guys I think we have addressed a lot of queries and I hope you know now the IPSec VPN part in general is clear so you can reach out to your customers and start you know selling VPN gateways as FortiGate you can also you know start to advertise the 40 token the two factor authentication mechanism you saw that how easily it can be integrated how easily it works hardly takes a minute to set up okay so guys thanks a lot for your time so we will be hoping to see you in the other sessions as well so we are carrying out a host of sessions not just for fortunate for many other different products over you know over the next couple of weeks so I would request you know to join for other sessions as well because this we have demos live demos for various other products so whatever products we are interested in you can pitch in so thanks a lot guys thank you for your time we will be reaching out to you via emails and everything so if you have any queries you can also reach me out on emails okay so thanks a lot guys thanks a lot for your time thank you for surfer thanks for all your time and thank you everyone for joining making time for us and you know we hope we have delivered everything that you guys were looking for and answered all your questions we will also be sending out a recording of the session to your email and along with the contact details so that y'all can write back to us in case you have any more queries also we have numerous webinar sessions lined up throughout the month please look forward to invites from our end and y'all can register to any session that you want to attend thank you again and there hope all of you have a great day ahead

Info

Channel: Redington Value Distribution

Views: 4,722

Rating: undefined out of 5

Keywords: Redington, Value

Id: LQKBtIlAjNo

Channel Id: undefined

Length: 64min 20sec (3860 seconds)

Published: Thu Apr 02 2020