Workspot Configuration Guide for the Fortinet … Configuration Guide for the Fortinet FortiGate...

Workspot Configuration Guide for the Fortinet FortiGate Firewall

Workspot, Inc. 4/8/2016

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons. Version 1.1 pg. 1 of 12

Fortinet FortiGate and Workspot Overview

The Fortinet FortiGate provides comprehensive threat protection with firewall, VPN (IPsec

and SSL), intrusion prevention, antivirus/antispyware, antispam, and web filtering

technologies. The platform also provides application control, data loss prevention, dynamic

routing for IPv4 and IPv6, endpoint NAC, and SSL-encrypted traffic inspection.

Once the FortiGate is installed on-premise or in the cloud, Workspot can be quickly

implemented as no additional hardware or software is required. The Workspot Client

securely connects to internal applications and services using the FortiGate SSL-VPN

feature.

For more information on the Fortinet FortiGate, go to:

http://www.fortinet.com/products/fortigate/index.html

The Workspot Client runs on Windows PCs, Macs, and mobile devices; Workspot Control,

a corresponding cloud-based administration console, is used to manage configuration and

policies for the environment.

For more information on Workspot, go to: http://www.workspot.com

Products and Versions Tested

The information and screens in this guide are based on the following:

FortiGate VM64, firmware Version v5.4.0,build1011 (GA)

Workspot Control (Release 4/7/16)

Prerequisites and Configuration Notes

The following are general prerequisites for this guide:

FortiGate firewall version 5.0 or later.

FortiGate administrator access.

Configured for both inside network and Internet connectivity.

An authentication server such as Microsoft Active Directory (AD) using LDAP or RADIUS.

DNS FDQN names or IP addresses for internal web apps, CIFS file shares, Remote Desktop Services (RDS) servers and RemoteApps.

Configuring the FortiGate involves the following configuration steps:

1. SSL-VPN User Group 2. SSL-VPN configuration

http://www.fortinet.com/products/fortigate/index.html

http://www.workspot.com/


3. SSL-VPN policy 4. SSL-VPN portal (optional) 5. Configuring the FortiGate in Workspot Control

If an existing FortiGate SSL-VPN configuration is already configured to support web-access and AD

authentication, then go to Testing the Configuration. If the testing fails, verify the settings shown

below and clone the current setups and update specific settings where needed.


1a.

FortiGate Configuration for Workspot

These steps outline the basic configuration of a FortiGate firewall to support Workspot. Sign

into the administrator console.

1. Configure a User Group for the Workspot users. Go to User & Device > User Groups and click +Create New a. Enter a name for the User Group: Workspot SSL VPN Users. b. Under Remote groups, select + Create New.

1a

>

1b


c. Select the AD authentication server from the list of Remote Servers. Then click OK and then OK again to save.

1c


2. Configure the SSL-VPN. If the SSL-VPN is already configured, verify the following settings. Go to VPN > SSL-VPN Settings a. Set the Listen on Interface(s) to the interface connected to the external network b. Set the Listen on Port to the HTTPS port. If port 443 used for the SSL VPN is on the

same interface as the administrator interface, then the administrator HTTPS port under System > Settings must be set another port, e.g. 10443.

c. Select the SSL Server Certificate obtained from a Certificate Authority and imported into this FortiGate. Otherwise, the Workspot users will be prompted to accept the self-signed certificate when connecting to the SSL VPN.

d. Under Authentication/Portal Mapping, select +Create New.

2a

2b

2c

2d

2g

2f


e. Select Workspot SSL VPN Users and web-access, then click OK.

f. Click Apply to save the configuration. g. From the top of the page, click the “No SSL-VPN policies exist. Click here to create a

new SSL-VPN policy using these settings” and go to step 3a.

2e


3. Configure the SSL-VPN Policy. Go to Policy & Objects > IPv4 Policy and click +Create New. a. Enter the policy name: Workspot SSL VPN Policy b. Select the Outgoing Interface which is connected to the external network. c. Select the Source Address: All and the User: Workspot SSL VPN Users d. Select the Destination Address: All e. Select the Service: ALL then click OK to save.

3a

3b

3c

3d

3e

Note: The Incoming Interface must

be set to SSL-VPN tunnel interface.


4. Configure the SSL-VPN Portal. Go to VPN > SSL-VPN Portals and select web-access and click Edit. a. Verify that Tunnel Mode is OFF and Enable Web Mode is ON. b. Verify that the Show Connection Launcher is ON. This setting is not required for

Workspot but will allow a standard browser to test the FortiGate configuration; other settings are also optional.

c. If modified, click OK to save the configuration.

4a

4b

4c


Testing the Configuration

To test the configuration, use any standard browser and go to the URL associated with the FortiGate, e.g. https://fortigate.mycompany.com/. Enter your AD Username and Password then click Login.

On the portal screen click Quick Connection.

Then enter an internal website URL and click launch.

intranet.mycompany.com

https://fortigate.mycompany.com/


The internal web page should be opened in a new tab.

https://fortinet.mycompany.com/proxy/http/intranet.mycompany.com


Configuring the FortiGate VPN in Workspot Control

To configure the VPN for Workspot users, sign into Workspot Control, then go to Setup > VPN > Add New VPN, then enter a name, the external URL for the FortiGate VPN, and Fortinet as the SSL VPN Type. Select the group(s) which will use the FortiGate and then click Save.


Troubleshooting

<To be updated by Support team>

Workspot Configuration Guide for the Fortinet … Configuration Guide for the Fortinet FortiGate...

Documents

Transcript of Workspot Configuration Guide for the Fortinet … Configuration Guide for the Fortinet FortiGate...