Fortigate SSLVPN

 

 

 

 

Submitted To:

Network Security Operations

 

 

For:

Alberta Health Services

 

 

 

 

 

Created by:

Carl M. Ocol

May 2011

 

 

 

 

 

 


 Document Control

 

For additional information and clarifications pertaining to the contents of this document please contact Provincial Network Security Operations as follows:

 

Analyst

E-Mail Address

Office Phone Number

Cameron Bain

Cameron.Bain@albertahealthservices.ca

780-342-6953

Giovanni Pagliuso

Giovanni.Pagliuso@albertahealthservices.ca

780-342-6957

Glenn Matias

Glenn.Matias@albertahealthservices.ca

780-342-6051

Eric Millice

Eric.Millice@albertahealthservices.ca

403-910-2998

Solomon Adelakun

Solomon.Adelakun@albertahealthservices.ca

587-773-7324

 

 

Change Record

Date

Author

Version

Change Reference

May 20, 2011

Carl Ocol

V1.0

 

May 27, 2011

Cameron Bain

V1.1

 

Sep 3, 2011

Cameron Bain

V1.2

 

Aug 8, 2013

Carl Ocol

V1.3

 

Sept 15, 2014 

Carl Ocol

V1.4

 

 August 7, 2015

Dale Runge 

V1.5 

 

 July 13, 2018

Solomon Adelakun

V1.6

 

 

 

Contents

 

1.           Requirements/Goals

2.           Background Information

3.           Windows Installation Instructions

4.           Macintosh Installation Instructions

5.           Troubleshooting

 

Notes:

1.   Click here for instructions on how to set up Remote Desktop Connection.

2.   Click here for contact information of AHS Help Desk.

 

 

1.   Requirements/Goals

 

The primary goal of the Fortinet SSLVPN solution is to provide a remote access infrastructure to match and exceed the needs of Alberta Health Services staff and partners.

 

The solution must provide for easy installation, easy client configuration, reliable operation and security for the client.

 

The solution must provide a highly available and resilient VPN service that will be available at all times to the client.

 

Operating Systems supported by the Fortinet SSLVPN solution include:

·         Windows OS

·         MAC OS

·         Linux OS

 

Requirements for the SSLVPN client include:

·         Valid RSA FOB issued by Access Admin with the appropriate access to AHS resources

·         Any latest version of a web browser to download the Fortinet SSL VPN client

 

 

<back to main menu>

 

 

2.   Background Information

 

Over the past several years, as organizations have grown and become more complex, secure remote access to network resources has become critical for day-to-day operations. As a result of the growing need for providing remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual Private Network was developed.

 

 

What is SSL?

 

SSL (Secure Sockets Layer) over HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret (private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.

 

 

Goals of SSL

 

SSL has four main goals:

·         Confidentiality of communications

·         Integrity of data

·         Authentication of server

·         Authentication of client (non-repudiation) to correct for dropped packets in multimedia streams

 

<back to main menu>

 

 

3.   Windows Installation Instructions

 

Download one of the flowing SSL VPN Client installer packages:

32 Bit SSLVPN Client (Suitable for Windows XP)

64 Bit SSLVPN Client (Suitable for Windows 7, Windows 8 and Windows 10)

 

B.1 Using Internet Explorer web browser under Windows XP you should see something similar to the following:

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image001.jpg

Click the ‘Run’ button to start installing the SSL VPN client.

 

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image002.jpg

 

When asked if you want to run the installer, select ‘Run’

 

 

Windows account control may ask you to run the installer with admin privileges. Select ‘Run as administrator’.

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image003.jpg

 

<proceed to section C>

 

 

B.2 Using Firefox or other web browsers you will see something similar to the following:

 

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image004.jpg

Save the file

 

Then open the download tab on the browser and ‘run’ the SslvpnClient by clicking on <.exe> file.

Example:

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image005.jpg

B.3 Using Microsoft Edge in windows 10 you will see the following:

 

 

 

 

Select ‘Save’ then ‘Run’ after the download is complete.

 

C On the screen that appears, select to install the client.

 

The following images are the screens you will see during installation:

 

Select ‘Yes’ on the User Account Control Screen

 

 

The installation process will start as below:

 

On the ‘Welcome to the FortiClient Setup Wizard’ screen enable the checkbox and select ‘Next’ as shown next:

 

 

Select the “Secure Remote Access” Option to install only the VPN components, then click “Next”.

 

 

 

 

 

 

Accept the defaults as shown below and click on ‘Next’:

 

 

Select ‘Install’ on the subsequent screen as shown:

 

 

 

Wait until the installation is completed. Select ‘Finish’ at the bottom of the installation screen.

 

 

 

There will be a new Icon placed on the desktop as shown:

 

 

Double clicking this Icon to open the FortiClient SSL VPN connection will result in the following:

                           

Click on “Remote Access” and then “Configure VPN”

 

 

Configure the next screen as above, and enter your username in the username field. Click “Apply” then “Close” to apply the settings. You are presented with the next screen.

 

 

 

User Name: (enter the provided username here). If you selected “save login” and entered your username in the previous screen above, the username is automatically populated.

 

Password: (enter your Pin and FOB access code into this box)

 

Type your PIN and 6 digits displaying on your token with no spaces in the password field.

 

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image226.jpg

 

 

 

 

 

 

 

 

 

Once completed, click ‘Connect’ and a connection to the AHS SSL VPN portal should be successful. The window will minimize to the task bar as shown:

 

 

Clicking on the Task Bar Icon will result in the following window being displayed:

 

 

Please note that this screen is where the assigned IP address from the SSL VPN head end located inside AHS is seen. It should be an address similar to what is shown (10.48.x.x).

 

When your work is done, click Disconnect. After disconnecting, you may log back in by entering a new Password (PIN + token code) and clicking ‘Connect’. Otherwise, click the ‘X’ in the upper right hand corner of the connection window to close the client.

 

<back to main menu>

 

 

4.   MAC OS X Installation Instructions

 

Note:  for Macintosh operating system the standalone SSLVPN client should be configured and used for connectivity.  To use the SSL VPN standalone tunnel client (Mac OS X) please follow these instructions.

 

a.       Download the SSL VPN Client by clicking the link to the SSLVPN client for MacOS. (if webpage is not found, right-click on the link then select ‘Save link as’ or ‘Save target as’. Run the installer <·dmg> file from where you have saved it).

 

b.  Go to the Applications folder and double-click on forticlientsslvpn.app. The FortiClient SSL VPN tunnel client (Mac OS X) opens.

 

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image301.jpg

 

c.  Select Settings....

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image302.jpg

 

d.  Optionally, select Keep connection alive until manually stopped to prevent tunnel connections from closing due to inactivity.

 

e.  Optionally, select Start connection automatically. The next time the tunnel mode application starts, it will start the last selected connection.

 

f.   If you use a proxy in your network, enter in Proxy the proxy server IP address and port. Enter proxy authentication credentials immediately below in User and Password.

 

g.  Select the + button to define a new connection, or select from the list an existing connection to modify.

 

h.  To create a new connection, select Create

 

i.   Enter the following information.

Server: vpn.albertahealthservices.ca. In the smaller field, enter the SSL VPN port number (443)

User: Enter your user name; example: johndoe

Password: Enter the PIN + token code associated with your FOB key; example: 1234xxxxxx

Certificate: Leave blank.

Password: Leave blank.

 

j. Select Done.

 

<back to main menu>

 

 

5.   Troubleshooting

Fortigate SSLVPN Client troubleshooting:

 

·         When wrong credentials are entered OR you are trying to connect to the SSL VPN from inside the AHS network, a Warning message comes up regarding invalid login credentials. The correct format for Name is <username> and Password is <pin><token code from FOB key>.  Your PIN (Personal Identification Number) is numeric and between 4 and 8 digits in length.  Also please note that connecting to the SSL VPN is not possible when the laptop or mobile device is already connected to the AHS network.

 

 

·         To ensure that you are connected in an SSLVPN tunnel mode, check that an IP address has been provided by the SSLVPN server to the PPP adapter fortissl. Go to <Start then Run>. On the Run field, type ‘cmd’ then hit enter. When the cmd window (black window) opens up, enter the command “ipconfig” besides the prompt.

 

http://vpnextranet.albertahealthservices.ca/vpnfiles/Fortigate_VPN5_Client_Architecture_and_Installation_Document_files/image401.jpg

 

 

NOTE: If authentication issues persist, you can test that your FOB is operational by logging into web page: http://token.albertahealthservices.ca ... upon successfull logon you will see a message about successfully completing the authentication (and setting your pin if that was required). This is the only function of the page. Once you have tested the FOB, please close the page.

 

<back to main menu>