beautypg.com

Session failover support, Ssl vpn modes of operation, Web-only mode – Fortinet FORTIOS V3.0 MR7 User Manual

Page 15

background image

Configuring a FortiGate SSL VPN

SSL VPN modes of operation

FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718

15

SSL VPNs provide secure access to certain applications. Web-only mode
provides remote users with access to server applications from any thin client
computer equipped with a web browser. Tunnel-mode provides remote users with
the ability to connect to the internal network from laptop computers as well as
airport kiosks, Internet cafes, and hotels. Access to SSL VPN applications is
controlled through user groups.

Session failover support

In a FortiGate high availability (HA) cluster with session pickup enabled, session
failover is supported for IPSec VPN tunnels. After an HA failover, IPSec VPN
tunnel sessions will continue with no loss of data.

Session failover is not supported by SSL VPN tunnels, however cookie failover is
supported for communication between the SSL VPN client and the FortiGate unit.
This means that after a failover, the SSL VPN client can re-establish the SSL VPN
session without having to authenticate again. However, all sessions inside the
SSL VPN tunnel with resources behind the FortiGate unit will stop, and will
therefore have to be restarted.

SSL VPN modes of operation

When a remote client connects to the FortiGate unit, the FortiGate unit
authenticates the user based on user name, password, and authentication
domain. A successful login determines the access rights of remote users
according to user group. The user group settings specify whether the connection
will operate in web-only mode (see

“Web-only mode” on page 15

) or tunnel mode

(see

“Tunnel mode” on page 17

).

You can enable a client integrity checker to scan the remote client. The integrity
checker probes the remote client computer to verify that it is “safe” before access
is granted. Security attributes recorded on the client computer (for example, in the
Windows registry, in specific files, or held in memory due to running processes)
are examined and uploaded to the FortiGate unit.

You can enable a cache cleaner to remove any sensitive data that would
otherwise remain on the remote computer after the session ends. For example, all
cache entries, browser history, cookies, encrypted information related to user
authentication, and any temporary data generated during the session are
removed from the remote computer. If the client’s browser cannot install and run
the cache cleaner, the user is not allowed to access the SSL-VPN portal.

Web-only mode

Web-only mode provides remote users with a fast and efficient way to access
server applications from any thin client computer equipped with a web browser.
Web-only mode offers true clientless network access using any web browser that
has built-in SSL encryption and the Sun Java runtime environment.

Support for SSL VPN web-only mode is built into the FortiOS operating system.
The feature comprises an SSL daemon running on the FortiGate unit, and a web
portal, which provides users with access to network services and resources
including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.