SSL VPN Overview
As organizations have grown and become more complex, secure remote access to network resources has become critical for day-to-day operations. In addition, businesses are expected to provide clients with efficient, convenient services including knowledge bases and customer portals. Employees traveling across the country or around the world require timely and comprehensive access to network resources. As a result of the growing need for providing remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual Private Network (VPN) was developed.
SSL VPNs establish connectivity using SSL, which functions at Levels 4 – 5 (Transport and Session layers). Information is encapsulated at Levels 6 – 7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way. A VPN is a secure logical network created from physically separate networks. VPNs use encryption and other security methods to ensure that only authorized users can access the network. VPNs also ensure that the data transmitted between computers cannot be intercepted by unauthorized users. When data is encoded and transmitted over the Internet, the data is said to be sent through a “VPN tunnel”. A VPN tunnel is a non-application oriented tunnel that allows the users and networks to exchange a wide range of traffic regardless of application or protocol.
The advantages of a VPN over an actual physical private network are two-fold. Rather than utilizing expensive leased lines or other infrastructure, you use the relatively inexpensive, high-bandwidth Internet. Perhaps more important though is the universal availability of the Internet. In most areas, access to the Internet is readily obtainable without any special arrangements or long wait times.
SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret (private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.
FortiOS supports the SSL and TLS versions defined below:
SSL and TLS version support table
Version | RFC | |
SSL 2.0 | RFC 6176 | |
SSL 3.0 | RFC 6101 | |
TLS 1.0 | RFC 2246 | |
TLS 1.1 | RFC 4346 | |
TLS 1.2 | RFC 5246 |
SSL VPN modes of operation
SSL VPN modes of operation
When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on username, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode.
Web-only mode
Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. Web-only mode offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java Runtime Environment (note that there is no minimum Java/JRE version requirement—any version of Java/JRE currently supported by the supplier of the Java/JRE for the operating system should work).
Support for SSL VPN web-only mode is built into FortiOS. The feature comprises of an SSL daemon running on the FortiGate unit, and a web portal, which provides users with access to network services and resources including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.
In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.
When the FortiGate unit provides services in web-only mode, a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal.
FortiGate SSL VPN web portals have a 1- or 2-column page layout and portal functionality is provided through small applets called widgets. Widget windows can be moved or minimized. The controls within each widget depend on its function. There are predefined web portals and the administrator can create additional portals.
Configuring the FortiGate unit involves selecting the appropriate web portal configuration in the user group settings. These configuration settings determine which server applications can be accessed. SSL encryption is used to ensure traffic confidentiality.
The following table lists the operating systems and web browsers supported by SSL VPN web-only mode.
VPN Web-only Mode, supported operating systems and web browsers
Operating System | Web Browser |
Microsoft Windows 7 SP1 (32-bit/64bit) | l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46 |
Microsoft Windows 8/8.1 (32-bit/64bit) | l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46 |
SSL VPN Overview SSL VPN modes of operation
Operating System | Web Browser |
Mac OS 10.11 | l Safari version 9 l Chrome version 56 |
Linux CentOS version 6.5 | l Mozilla Firefox version 46 |
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
Tunnel mode
In Tunnel mode, remote clients connect to a FortiGate unit that acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group.
The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate unit. Another option is split tunneling, which ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves bandwidth and alleviates bottlenecks.
When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit.
SSL VPN conserve mode
FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.
SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is <25% of the total memory (when the memory on the FortiGate is less than 512Mb) or <10% of the total memory (when the FortiGate has more than 512Mb built in).
To determine if the FortiGate has entered SSL VPN conserve mode – CLI
Run the following command in the CLI Console: diagnose vpn ssl statistics
Result (showing conserve mode state in red):
SSLVPN statistics: —————— | |
Memory unit: | 1 |
System total memory: | 2118737920 |
System free memory: | 218537984 |
SSLVPN memory margin: | 314572800 |
SSLVPN state: | conserve |
Port forwarding mode
Max number of users: 2
Max number of tunnels: 0
Max number of connections: 13
Current number of users: 1
Current number of tunnels: 0
Current number of connections: 1
Port forwarding mode
While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.
SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.
The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.
On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.
The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the application documentation.
This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.
Application support
With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.
For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.
Note that the RDP/VNC web portals are not supported for the following platforms:
SSL VPN Overview Port forwarding mode
Platform | Model |
FortiGate | 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,
3240C, 3600C, and 5001C |
FortiGate-Rugged | 90D |
FortiWiFi | 92D |
Antivirus and firewall host compatibility
The following tables list the antivirus and firewall client software packages that are supported in FortiOS.
Supported Windows XP antivirus and firewall software
Product supported | Antivirus | Firewall |
Symantec Endpoint Protection V11 | • | • |
Kaspersky Antivirus 2009 | • | |
McAfee Security Center v8.1 | • | • |
Trend Micro Internet Security Pro | • | • |
F-Secure Internet Security 2009 | • | • |
Supported Windows 7 32-bit and 64-bit antivirus and firewall software
Product supported | Antivirus | Firewall | |
CA Internet Security 2011 | • | • | |
AVG Internet Security 2011 | |||
F-Secure Internet Security 2011 | • | • | |
Kaspersky Internet Security 2011 | • | • | |
McAfee Internet Security 2011 | • | • | |
Norton 360TM Version 4.0 | • | • | |
NortonTM Internet Security 2011 | • | • | |
Panda Internet Security 2011 | • | • | |
Sophos Security Suite | • | • |
Traveling and security
Product supported | Antivirus | Firewall |
Trend Micro Titanium Internet Security | • | • |
ZoneAlarm Security Suite | • | • |
Symantec Endpoint Protection Small Business Edition 12.0 | • | • |
Traveling and security
Because SSL VPN provides a means for “on-the-go” users to dial in to the network while away from the office, you need to ensure that wherever and however they choose to dial in is secure, and not potentially compromising the corporate network.
Host check
To reinforce security, you can enable a host integrity checker to scan the remote client. The integrity checker probes the remote client computer to verify that it is safe before access is granted. Security attributes recorded on the client computer (for example, in the Windows registry, in specific files, or held in memory due to running processes) are examined and uploaded to the FortiGate unit. For more information, see Host check on page 32.
Host Check is applicable for both SSL VPN Web Mode and SSL VPN Tunnel mode.
SSL VPN and IPv6
FortiOS supports SSL VPN with IPv6 addressing, and is available for all the java applets (Telnet, VNC, RDP, and so on). IPv6 configurations for security policies and addressing include:
- Policy matching for IPv6 addresses l Support for DNS resolving in SSL VPN l Support IPv6 for ping l FTP applications
- SMB
In essentially any of the following instructions, replace IPv4 with IPv6 to achieve the same desired results, but for IPv6 addresses and configurations.