Filter
Top Products
FortiOS v3.0 MR7 SSL VPN User Guide
16 01-30007-0348-20080718
SSL VPN modes of operation Configuring a FortiGate SSL VPN
In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and
authenticates remote users as members of a user group. After successful
authentication, the FortiGate unit redirects the web browser to the web portal
home page and the user can access the server applications behind the FortiGate
unit.
Configuring the FortiGate unit involves selecting web-only-mode access in the
user group settings and enabling the feature through SSL VPN configuration
settings. The user group settings determine which server applications can be
accessed. SSL encryption is used to ensure traffic confidentiality.
Web-only mode client requirements
The remote client computer must be equipped with the following software:
• Microsoft Windows 2000/XP/2003/Vista, Linux, MacOS X, or UNIX operating
system
• Microsoft Internet Explorer 6.0 (or later), Netscape Navigator 7.0 (or later),
Mozilla Foundation/Firefox 1.5 (or later), or Apple Safari 1.3 (or later)
• If Telnet/ or RDP are used, Sun Java runtime environment 1.4 (or later), with
Java applet access, JavaScript access, and enabled cookie acceptance
Tunnel mode
Tunnel mode offers remote users the freedom to connect to the internal network
using the traditional means of web-based access from laptop computers, as well
as from airport kiosks, hotel business centers, and Internet cafés. If the
applications on the client computers used by your user community vary greatly,
you can deploy a dedicated SSL VPN client to any remote client through its web
browser. The SSL VPN client encrypts all traffic from the remote client computer
and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link
between the web browser and the FortiGate unit. Also available is split tunneling,
which ensures that only the traffic for the private network is sent to the SSL VPN
gateway. Internet traffic is sent through the usual unencrypted route. This
conserves bandwith and alleviates bottlenecks.
In tunnel mode, remote clients connect to FortiGate unit and the web portal login
page using Microsoft Internet Explorer, Mozilla Foundation/Firefox, MacOS, or
Linux. The FortiGate unit acts as a secure HTTP/HTTPS gateway and
authenticates remote users as members of a user group. After successful
authentication, the FortiGate unit redirects the web browser to the web portal
home page. The user can then download the SSL VPN client (an ActiveX or Java
plugin) and install it using controls provided through the web portal. SSL VPN
tunnel mode can also be initiated from a standalone application on
Windows/MacOS, and Unix.
Note: Web browsers offer different SSL security capabilities. The FortiGate unit offers an
SSL version 2 option through the CLI if required to support older browsers. In addition, the
FortiGate unit supports a range of cipher suites for negotiating SSL communications with a
variety of web browsers. The web browser must at least support a 64-bit cipher length.