| Description | Setting up FortiGate SSL VPN to provide secure web-based access to an internal network. |
| Components | · All FortiGate units · FortiOS 3.0 |
| Steps or Commands | SSL VPN is a secure remote access solution that requires very little configuration on the client end. There are two modes for SSL VPN. · Web Mode provides remote users with a secure web portal, through which they can access only specific resources on the internal network behind the FortiGate unit. These resources can be network shares, http or https web servers, ftp servers or even Remote Desktop and VNC applications. · Tunnel Mode goes a step further and assigns remote users a private IP. With this private IP, remote users have direct access to resources on the internal network behind the FortiGate unit, instead of through the portal provided by Web Mode. Remote users (also called clients) are required to have the following configuration: · Windows 2000, XP, 2003 or Vista (currently, Vista supports Web Mode only) · Internet Explorer 6.0 (or later), or Mozilla Foundation/ Firefox 1.2 (or later). To configure the SSL VPN service using the web-based manager 1. Go to VPN > SSL. 2. Select Enable SSL-VPN. 3. Configure Tunnel IP Range with a range of IP addresses that can be used for Tunnel Mode connections. Select a range of private IP addresses that are reserved for SSL VPN users and are not in use on your internal network. 4. Under Advanced, define any internal DNS or WINS servers present in your network, so that your remotely connected users can resolve internal DNS addresses. 5. Select OK. To configure an SSL VPN user group 1. Go to User > Local. 2. Select Create New. 3. Add a user name and password for this new local user account. 4. Select OK. 5. Go to User > Group. 6. Select Create New. 7. Add a name for the new user group (for example, SSL_VPN_Access). 8. Set Type to SSL VPN. 9. Select the local user that you just added in the list on the left and select the right arrow to add that user to this group. Repeat this process to add more local users to the SSL_VPN_Access user group. 10. Select the blue arrow next to SSL-VPN User Group Options. 11. Select Enable SSL VPN Tunnel Service, Enable Web Application, HTTP/HTTPS Proxy, Telnet, VNC, FTP, SMB/CIFS and RDP. These options control the services that SSL VPN users have access to. Depending on your requirements, you might want to disable access to some of these services. 12. Leave Host check disabled for now. For a description of this feature and how to use it, see the FortiGate SSL VPN User Guide. 13. Select OK. Note: To control access to your SSL VPN network, your users must log in with a username and password as defined in your FortiGate unit User configuration. This example shows how to add local users to your FortiGate unit configuration. You can also configure SSL VPN to work with your LDAP or RADIUS servers. To add an SSL VPN firewall policy 1. Go to Firewall > Policy. 2. Select Create New. 3. Set the Source Interface to the interface that connects your FortiGate unit to the Internet (usually external or WAN1). 4. Set the Source Address to all. 5. Set the Destination Interface to the interface connected to your internal network. 6. Set the Destination Address to all. 7. Set the action to SSL-VPN. 8. Select the user group that you just added in the list on the left and select the right arrow to add that user group to this policy. 9. Select OK. With this configuration, users can access your FortiGate unit SSL VPN page from outside of your internal network (from the Internet). To access the SSL VPN page users start a web browser and browse to your FortiGate unit public IP address. They must also specify a unique port number in their browser address field. For example, if the public IP address of your FortiGate unit is 210.55.55.1 your users would browse to https://210.55.55.1:10443. Once connected, the user must login. The user information provided must match a user in the group defined above. After a successful login, the FortiGate Web mode access portal appears.Users can define a new bookmark for access to an internal FTP server, web server or remotely control a PC on the network using the Remote Desktop Protocol or VNC if available. Note: As of Maintenance Release 5 (MR5), a new option in the GUI allows administrators to configure predefined bookmarks for SSL VPN web mode access. Go to VPN > SSL > Bookmarks. To initiate tunnel mode, the user selects the activate SSL VPN tunnel mode link at the top of the web page. On first viewing, the user may be required to install either an ActiveX, (Internet Explorer) or Java, (Firefox) component. This process installs a new dialup network connection on the user's PC to secure this user’s connection to your internal network. Once tunnel mode is established, the status window on this page shows duration of the connection. The user can minimize this browser window and work as though they were connected directly to the internal network. Note: Access at this point requires either that users know the IP addresses of internal servers, or that your DNS server is configured to resolve internal machine names, also called netbios names, of those servers. To close this connection, the user can either select Disconnect in the open web browser, or close the browser. |
30.11.10
Configuring SSL VPN for secure web-based access to the internal network
CISCO Switch Initial Configuration steps...
1. Disconnect all connections.
2. Power on switch.
3. Wait for Setup LED to blink Green.
4. Click Setup.
5. Switch port LED change to Green.
6. Connect the pc to that port.
[ DHCP assign IP]
7. IPCONFIG.
169.254.0.2
255.255.255.248
169.254.0.1
8. Open browser , http://169.254.0.1 and configure it....
29.11.10
Turn on Automatic Logon in Windows XP Professional
Method 1:
You can use Registry Editor to add your log on information. To do this, follow these steps:- Click Start, click Run, type regedit, and then click OK.
- Locate the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Winlogon - Using your account name and password, double-click the DefaultUserName entry, type your user name, and then click OK.
- Double-click the DefaultPassword entry, type your password under the value data box, and then click OK.
If there is no DefaultPassword value, create the value. To do this, follow these steps:- In Registry Editor, click Edit, click New, and then click String Value.
- Type DefaultPassword as the value name, and then press ENTER.
- Double-click the newly created key, and then type your password in the Value Data box.
- Double-click the AutoAdminLogon entry, type 1 in the Value Data box, and then click OK.
If there is no AutoAdminLogon entry, create the entry. To do this, follow these steps:- In Registry Editor, click Edit, click New, and then click String Value.
- Type AutoAdminLogon as the value name, and then press ENTER.
- Double-click the newly created key, and then type 1 in the Value Data box.
- Exit Registry Editor.
- Click Start, click Restart, and then click OK.
If you want to bypass the automatic logon to log on as a different user, hold down the SHIFT key after you log off or after Windows XP restarts. Note that this procedure applies only to the first logon. To enforce this setting for future logoffs, the administrator must set the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\
Value:ForceAutoLogon
Type: REG_SZ
Data: 1
Value:ForceAutoLogon
Type: REG_SZ
Data: 1
Method 2:
You can also turn on automatic logon without editing the registry in Windows XP Home Edition and in Windows XP Professional on a computer that is not joined to a domain. To do this, follow these steps:- Click Start, and then click Run.
- In the Open box, type control userpasswords2, and then click OK.
Note When users try to display help information in the User Accounts window in Windows XP Home Edition, the help information is not displayed. Additionally, users receive the following error message:Cannot find the Drive:\Windows\System32\users.hlp Help file. Check to see that the file exists on your hard disk drive. If it does not exist, you must reinstall it. - Clear the "Users must enter a user name and password to use this computer" check box, and then click Apply.
- In the Automatically Log On window, type the password in the Password box, and then retype the password in the Confirm Password box.
- Click OK to close the Automatically Log On window, and then click OK to close the User Accounts window.
Port Numbers...
This list of well-known port numbers specifies the port used by the server process as its contact port.
Port Number | Description |
1 | TCP Port Service Multiplexer (TCPMUX) |
5 | Remote Job Entry (RJE) |
7 | ECHO |
18 | Message Send Protocol (MSP) |
20 | FTP -- Data |
21 | FTP -- Control |
22 | SSH Remote Login Protocol |
23 | Telnet |
25 | Simple Mail Transfer Protocol (SMTP) |
29 | MSG ICP |
37 | Time |
42 | Host Name Server (Nameserv) |
43 | WhoIs |
49 | Login Host Protocol (Login) |
53 | Domain Name System (DNS) |
69 | Trivial File Transfer Protocol (TFTP) |
70 | Gopher Services |
79 | Finger |
80 | HTTP |
103 | X.400 Standard |
108 | SNA Gateway Access Server |
109 | POP2 |
110 | |
115 | Simple File Transfer Protocol (SFTP) |
118 | SQL Services |
119 | |
137 | NetBIOS Name Service |
139 | NetBIOS Datagram Service |
143 | Interim Mail Access Protocol (IMAP) |
150 | NetBIOS Session Service |
156 | |
161 | |
179 | Border Gateway Protocol (BGP) |
190 | Gateway Access Control Protocol (GACP) |
194 | Internet Relay Chat (IRC) |
197 | Directory Location Service (DLS) |
389 | |
396 | Novell Netware over IP |
443 | |
444 | Simple Network Paging Protocol (SNPP) |
445 | Microsoft-DS |
458 | Apple QuickTime |
546 | DHCP Client |
547 | DHCP Server |
563 | SNEWS |
569 | MSN |
1080 | Socks |
Subscribe to:
Posts (Atom)