Fortigate SSLVPN
Submitted To:
Network Security Operations
For:
Alberta Health Services
Created by:
Carl M. Ocol
May 2011
Document Control
For additional information and clarifications pertaining to the contents of this document please contact Provincial Network Security Operations as follows:
|
Analyst |
E-Mail Address |
Office Phone Number |
|
Cameron Bain |
780-342-6953 |
|
|
Giovanni Pagliuso |
780-342-6957 |
|
|
Glenn Matias |
780-342-6051 |
|
|
Eric Millice |
403-910-2998 |
|
|
Solomon Adelakun |
587-773-7324 |
|
Change Record |
|||
|
Date |
Author |
Version |
Change Reference |
|
May 20, 2011 |
Carl Ocol |
V1.0 |
|
|
May 27, 2011 |
Cameron Bain |
V1.1 |
|
|
Sep 3, 2011 |
Cameron Bain |
V1.2 |
|
|
Aug 8, 2013 |
Carl Ocol |
V1.3 |
|
|
Sept 15, 2014 |
Carl Ocol |
V1.4 |
|
|
August 7, 2015 |
Dale Runge |
V1.5 |
|
|
July 13, 2018 |
Solomon Adelakun |
V1.6 |
|
Contents
3. Windows Installation Instructions
4. Macintosh Installation Instructions
Notes:
1. Click here for instructions on how to set up Remote Desktop Connection.
2. Click here for contact information of AHS Help Desk.
1. Requirements/Goals
The primary goal of the Fortinet SSLVPN solution is to provide a remote access infrastructure to match and exceed the needs of Alberta Health Services staff and partners.
The solution must provide for easy installation, easy client configuration, reliable operation and security for the client.
The solution must provide a highly available and resilient VPN service that will be available at all times to the client.
Operating Systems supported by the Fortinet SSLVPN solution include:
· Windows OS
· MAC OS
· Linux OS
Requirements for the SSLVPN client include:
· Valid RSA FOB issued by Access Admin with the appropriate access to AHS resources
· Any latest version of a web browser to download the Fortinet SSL VPN client
2. Background Information
Over the past several years, as organizations have grown and become more complex, secure remote access to network resources has become critical for day-to-day operations. As a result of the growing need for providing remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual Private Network was developed.
What is SSL?
SSL (Secure Sockets Layer) over HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret (private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.
Goals of SSL
SSL has four main goals:
· Confidentiality of communications
· Integrity of data
· Authentication of server
· Authentication of client (non-repudiation) to correct for dropped packets in multimedia streams
3. Windows Installation Instructions
Download one of the flowing SSL VPN Client installer packages:
32 Bit SSLVPN Client (Suitable for Windows XP)
64 Bit SSLVPN Client (Suitable for Windows 7, Windows 8 and Windows 10)
B.1 Using Internet Explorer web browser under Windows XP you should see something similar to the following:
Click the ‘Run’ button to start installing the SSL VPN client.
When asked if you want to run the installer, select ‘Run’
Windows account control may ask you to run the installer with admin privileges. Select ‘Run as administrator’.
B.2 Using Firefox or other web browsers you will see something similar to the following:
Save the file
Then open the download tab on the browser and ‘run’ the SslvpnClient by clicking on <.exe> file.
Example:
B.3 Using Microsoft Edge in windows 10 you will see the following:
Select ‘Save’ then ‘Run’ after the download is complete.
C On the screen that appears, select to install the client.
The following images are the screens you will see during installation:
Select ‘Yes’ on the User Account Control Screen
The installation process will start as below:
On the ‘Welcome to the FortiClient Setup Wizard’ screen enable the checkbox and select ‘Next’ as shown next:
Select the “Secure Remote Access” Option to install only the VPN components, then click “Next”.
Accept the defaults as shown below and click on ‘Next’:
Select ‘Install’ on the subsequent screen as shown:
Wait until the installation is completed. Select ‘Finish’ at the bottom of the installation screen.
There will be a new Icon placed on the desktop as shown:
Double clicking this Icon to open the FortiClient SSL VPN connection will result in the following:
Click on “Remote Access” and then “Configure VPN”
Configure the next screen as above, and enter your username in the username field. Click “Apply” then “Close” to apply the settings. You are presented with the next screen.
User Name: (enter the provided username here). If you selected “save login” and entered your username in the previous screen above, the username is automatically populated.
Password: (enter your Pin and FOB access code into this box)
Type your PIN and 6 digits displaying on your token with no spaces in the password field.
Once completed, click ‘Connect’ and a connection to the AHS SSL VPN portal should be successful. The window will minimize to the task bar as shown:
Clicking on the Task Bar Icon will result in the following window being displayed:
Please note that this screen is where the assigned IP address from the SSL VPN head end located inside AHS is seen. It should be an address similar to what is shown (10.48.x.x).
When your work is done, click Disconnect. After disconnecting, you may log back in by entering a new Password (PIN + token code) and clicking ‘Connect’. Otherwise, click the ‘X’ in the upper right hand corner of the connection window to close the client.
4. MAC OS X Installation Instructions
Note: for Macintosh operating system the standalone SSLVPN client should be configured and used for connectivity. To use the SSL VPN standalone tunnel client (Mac OS X) please follow these instructions.
a. Download the SSL VPN Client by clicking the link to the SSLVPN client for MacOS. (if webpage is not found, right-click on the link then select ‘Save link as’ or ‘Save target as’. Run the installer <·dmg> file from where you have saved it).
b. Go to the Applications folder and double-click on forticlientsslvpn.app. The FortiClient SSL VPN tunnel client (Mac OS X) opens.
c. Select Settings....
d. Optionally, select Keep connection alive until manually stopped to prevent tunnel connections from closing due to inactivity.
e. Optionally, select Start connection automatically. The next time the tunnel mode application starts, it will start the last selected connection.
f. If you use a proxy in your network, enter in Proxy the proxy server IP address and port. Enter proxy authentication credentials immediately below in User and Password.
g. Select the + button to define a new connection, or select from the list an existing connection to modify.
h. To create a new connection, select Create
i. Enter the following information.
Server: vpn.albertahealthservices.ca. In the smaller field, enter the SSL VPN port number (443)
User: Enter your user name; example: johndoe
Password: Enter the PIN + token code associated with your FOB key; example: 1234xxxxxx
Certificate: Leave blank.
Password: Leave blank.
j. Select Done.
5. Troubleshooting
Fortigate SSLVPN Client troubleshooting:
· When wrong credentials are entered OR you are trying to connect to the SSL VPN from inside the AHS network, a Warning message comes up regarding invalid login credentials. The correct format for Name is <username> and Password is <pin><token code from FOB key>. Your PIN (Personal Identification Number) is numeric and between 4 and 8 digits in length. Also please note that connecting to the SSL VPN is not possible when the laptop or mobile device is already connected to the AHS network.
· To ensure that you are connected in an SSLVPN tunnel mode, check that an IP address has been provided by the SSLVPN server to the PPP adapter fortissl. Go to <Start then Run>. On the Run field, type ‘cmd’ then hit enter. When the cmd window (black window) opens up, enter the command “ipconfig” besides the prompt.
NOTE: If authentication issues persist, you can test that your FOB is operational by logging into web page: http://token.albertahealthservices.ca ... upon successfull logon you will see a message about successfully completing the authentication (and setting your pin if that was required). This is the only function of the page. Once you have tested the FOB, please close the page.