Workspot Configuration Guide for the Fortinet FortiGate Firewall Workspot, Inc. 4/8/2016
Fortinet FortiGate and Workspot Overview The Fortinet FortiGate provides comprehensive threat protection with firewall, VPN (IPsec and SSL), intrusion prevention, antivirus/antispyware, antispam, and web filtering technologies. The platform also provides application control, data loss prevention, dynamic routing for IPv4 and IPv6, endpoint NAC, and SSL-encrypted traffic inspection. Once the FortiGate is installed on-premise or in the cloud, Workspot can be quickly implemented as no additional hardware or software is required. The Workspot Client securely connects to internal applications and services using the FortiGate SSL-VPN feature. For more information on the Fortinet FortiGate, go to: http://www.fortinet.com/products/fortigate/index.html The Workspot Client runs on Windows PCs, Macs, and mobile devices; Workspot Control, a corresponding cloud-based administration console, is used to manage configuration and policies for the environment. For more information on Workspot, go to: http://www.workspot.com Products and Versions Tested The information and screens in this guide are based on the following: FortiGate VM64, firmware Version v5.4.0,build1011 (GA) Workspot Control (Release 4/7/16) Prerequisites and Configuration Notes The following are general prerequisites for this guide: FortiGate firewall version 5.0 or later. FortiGate administrator access. Configured for both inside network and Internet connectivity. An authentication server such as Microsoft Active Directory (AD) using LDAP or RADIUS. DNS FDQN names or IP addresses for internal web apps, CIFS file shares, Remote Desktop Services (RDS) servers and RemoteApps. Configuring the FortiGate involves the following configuration steps: 1. SSL-VPN User Group 2. SSL-VPN configuration Version 1.1 pg. 1 of 12
3. SSL-VPN policy 4. SSL-VPN portal (optional) 5. Configuring the FortiGate in Workspot Control If an existing FortiGate SSL-VPN configuration is already configured to support web-access and AD authentication, then go to Testing the Configuration. If the testing fails, verify the settings shown below and clone the current setups and update specific settings where needed. Version 1.1 pg. 2 of 12
FortiGate Configuration for Workspot These steps outline the basic configuration of a FortiGate firewall to support Workspot. Sign into the administrator console. 1. Configure a User Group for the Workspot users. Go to User & Device > User Groups and click +Create New a. Enter a name for the User Group: Workspot SSL VPN Users. b. Under Remote groups, select + Create New. 1a. 1a 1b Version 1.1 pg. 3 of 12
c. Select the AD authentication server from the list of Remote Servers. Then click OK and then OK again to save. 1c Version 1.1 pg. 4 of 12
2. Configure the SSL-VPN. If the SSL-VPN is already configured, verify the following settings. Go to VPN > SSL-VPN Settings a. Set the Listen on Interface(s) to the interface connected to the external network b. Set the Listen on Port to the HTTPS port. If port 443 used for the SSL VPN is on the same interface as the administrator interface, then the administrator HTTPS port under System > Settings must be set another port, e.g. 10443. c. Select the SSL Server Certificate obtained from a Certificate Authority and imported into this FortiGate. Otherwise, the Workspot users will be prompted to accept the self-signed certificate when connecting to the SSL VPN. d. Under Authentication/Portal Mapping, select +Create New. 2g 2a 2b 2c 2d 2f Version 1.1 pg. 5 of 12
e. Select Workspot SSL VPN Users and web-access, then click OK. 2e f. Click Apply to save the configuration. g. From the top of the page, click the No SSL-VPN policies exist. Click here to create a new SSL-VPN policy using these settings and go to step 3a. Version 1.1 pg. 6 of 12
3. Configure the SSL-VPN Policy. Go to Policy & Objects > IPv4 Policy and click +Create New. a. Enter the policy name: Workspot SSL VPN Policy b. Select the Outgoing Interface which is connected to the external network. c. Select the Source Address: All and the User: Workspot SSL VPN Users d. Select the Destination Address: All e. Select the Service: ALL then click OK to save. 3a 3b Note: The Incoming Interface must be set to SSL-VPN tunnel interface. 3c 3d 3e Version 1.1 pg. 7 of 12
4. Configure the SSL-VPN Portal. Go to VPN > SSL-VPN Portals and select web-access and click Edit. a. Verify that Tunnel Mode is OFF and Enable Web Mode is ON. b. Verify that the Show Connection Launcher is ON. This setting is not required for Workspot but will allow a standard browser to test the FortiGate configuration; other settings are also optional. c. If modified, click OK to save the configuration. 4a 4b 4c Version 1.1 pg. 8 of 12
Testing the Configuration To test the configuration, use any standard browser and go to the URL associated with the FortiGate, e.g. https://fortigate.mycompany.com/. Enter your AD Username and Password then click Login. On the portal screen click Quick Connection. Then enter an internal website URL and click launch. intranet.mycompany.com Version 1.1 pg. 9 of 12
The internal web page should be opened in a new tab. https://fortinet.mycompany.com/proxy/http/intranet.mycompany.com Version 1.1 pg. 10 of 12
Configuring the FortiGate VPN in Workspot Control To configure the VPN for Workspot users, sign into Workspot Control, then go to Setup > VPN > Add New VPN, then enter a name, the external URL for the FortiGate VPN, and Fortinet as the SSL VPN Type. Select the group(s) which will use the FortiGate and then click Save. Version 1.1 pg. 11 of 12
Troubleshooting <To be updated by Support team> Version 1.1 pg. 12 of 12