USER GUIDE

FortiClient Host Security
Version 2.0 MR1




    www.fortinet.com
FortiClient Host Security User Guide
Version 2.0 MR1
October 17, 2005
04-20001-0183-20051017


© Copyright 2005 Fortinet, ...
Contents




                           Contents
                            Introduction ...................................
Contents




        Firewall ...............................................................................................
Introduction                                                                                          Fortinet Knowledge C...
Comments on Fortinet technical documentation                                                                       Introdu...
Installation




  Installation
                                You can install the FortiClient software in two ways:
    ...
Customizing the FortiClient installation package                                                                          ...
Installation                                                                                  Disabling VPN XAuth password...
Running remote installation                                            Installation




                              Fort...
Configuration                                                                                              Entering a lice...
Configuring proxy server settings                                                                                      Con...
Configuration                                                     Setting up a FortiClient-to-FortiGate VPN with manual co...
Setting up a FortiClient-to-FortiGate VPN with manual configuration                                                  Confi...
Configuration                                                     Setting up a FortiClient-to-FortiGate VPN with manual co...
Setting up a FortiClient-to-FortiGate VPN with manual configuration                                                       ...
Configuration                                                  Setting up a FortiClient-to-FortiGate VPN with automatic co...
Testing the connection                                                                                         Configurati...
Configuration                                                                                                   Testing th...
Connecting to the remote FortiGate network                                                                          Config...
Configuration                                                                            Configuring the advanced VPN sett...
Configuring the advanced VPN settings                                                                              Configu...
Configuration                                                                                     Configuring the advanced...
Configuring the advanced VPN settings                                                                                   Co...
Configuration                                                                           Configuring the advanced VPN setti...
Monitoring VPN connections                                                                                  Configuration
...
Configuration                                                                                            Monitoring VPN co...
Exporting and importing VPN policy files                                                                               Con...
Configuration                                                                             Starting up VPN before logging o...
Managing digital certificates                                                                                     Configur...
Configuration                                                                                                Managing digi...
Managing digital certificates                                                                                     Configur...
Configuration                                                                                            Managing digital ...
Scanning for viruses                                                                                            Configurat...
Configuration                                                                                            Scanning for viru...
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
FortiClient Host Security User Guide
Upcoming SlideShare
Loading in …5
×

FortiClient Host Security User Guide

11,344 views
11,152 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
11,344
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
69
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

FortiClient Host Security User Guide

  1. 1. USER GUIDE FortiClient Host Security Version 2.0 MR1 www.fortinet.com
  2. 2. FortiClient Host Security User Guide Version 2.0 MR1 October 17, 2005 04-20001-0183-20051017 © Copyright 2005 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  3. 3. Contents Contents Introduction ........................................................................................ 5 About FortiClient Host Security ....................................................................... 5 Documentation................................................................................................... 5 Fortinet Knowledge Center ........................................................................... 5 Comments on Fortinet technical documentation ........................................... 5 Customer service and technical support ........................................................ 6 Installation .......................................................................................... 7 System requirements ........................................................................................ 7 Supported FortiGate models and FortiOS versions....................................... 7 Language Support ............................................................................................. 7 Installing FortiClient on a single PC ................................................................ 8 Installing customized FortiClient using Active Directory Server.................. 8 Customizing the FortiClient installation package .......................................... 8 Disabling VPN XAuth password saving ........................................................ 9 Running remote installation........................................................................... 9 Configuration.................................................................................... 11 General Settings .............................................................................................. 11 Entering a license key ................................................................................. 11 Configuring proxy server settings................................................................ 12 FortiClient status icons ................................................................................ 12 VPN ................................................................................................................... 13 Setting up a FortiClient-to-FortiGate VPN with manual configuration ......... 13 Setting up a FortiClient-to-FortiGate VPN with automatic configuration ..... 17 Testing the connection ................................................................................ 18 Connecting to the remote FortiGate network .............................................. 20 Configuring the advanced VPN settings ..................................................... 20 Monitoring VPN connections ....................................................................... 26 Exporting and importing VPN policy files .................................................... 28 Troubleshooting .......................................................................................... 28 Starting up VPN before logging on to Windows .......................................... 29 Managing digital certificates ........................................................................ 29 Antivirus ........................................................................................................... 34 Scanning for viruses.................................................................................... 34 Configuring antivirus settings ...................................................................... 36 Configuring real-time protection .................................................................. 39 Configuring email scanning ......................................................................... 40 Managing quarantined files ......................................................................... 40 Monitoring Windows startup list entries....................................................... 41 FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 3
  4. 4. Contents Firewall ............................................................................................................. 43 Selecting a firewall mode ............................................................................ 43 Selecting a firewall profile ........................................................................... 43 Viewing traffic information ........................................................................... 44 Configuring application access permissions ............................................... 44 Configuring network security zones ............................................................ 45 Configuring intrusion detection ................................................................... 47 Configuring advanced firewall rules ............................................................ 47 Web Filter ......................................................................................................... 49 Setting the administration password ........................................................... 49 Configuring the web filter settings............................................................... 49 Update .............................................................................................................. 51 Updating FortiClient .................................................................................... 51 Logs .................................................................................................................. 52 Configuring log settings .............................................................................. 52 Managing log files ....................................................................................... 53 Using the FortiClient system tray icon menus ............................................. 53 Frequently asked questions ........................................................... 55 Index ................................................................................. 57 FortiClient Host Security Version 2.0 MR1 User Guide 4 04-20001-0183-20051017
  5. 5. Introduction Fortinet Knowledge Center Introduction This chapter introduces you to FortiClient Host Security software and the following topics: • About FortiClient Host Security • Documentation • Customer service and technical support About FortiClient Host Security The FortiClient Host Security software is a secure remote access client for Windows computers. It integrates IPSec VPN, antivirus, Windows registry monitoring, firewall, and web browsing control into a single software package. Using the FortiClient software, you can: • create VPN connections to remote networks, • scan your computer for viruses, • configure real-time protection against viruses and unauthorized modification of the Windows registry, • restrict access to your system and applications by setting up firewall policies. • restrict Internet access according the rules you specify. Documentation In addition to this FortiClient Host Security User Guide, the FortiClient online help provides information and procedures for using and configuring the FortiClient software. Information about FortiGate Antivirus Firewalls is available from the FortiGate online help and the FortiGate Administration Guide. Fortinet Knowledge Center The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 5
  6. 6. Comments on Fortinet technical documentation Introduction Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin America and South America. apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia. eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East. For information on Fortinet telephone support, see http://support.fortinet.com. When requesting technical support, please provide the following information: • Your name • Company name • Location • Email address • Telephone number • FortiClient version • Detailed description of the problem FortiClient Host Security Version 2.0 MR1 User Guide 6 04-20001-0183-20051017
  7. 7. Installation Installation You can install the FortiClient software in two ways: • For a single PC installation, you can install the software by running the installation file. See “Installing FortiClient on a single PC” on page 8. • For a group installation, you can use the Active Directory Server to install the FortiClient package on multiple PCs. See “Installing customized FortiClient using Active Directory Server” on page 8. System requirements • PC-compatible computer with Pentium processor or equivalent • Compatible operating systems and minimum RAM: • Microsoft Windows 2000 : 64 MB • Microsoft Windows XP : 128 MB • Microsoft Windows Server 2003 : 128 MB • 40 MB hard disk space • Native Microsoft TCP/IP communications protocol • Native Microsoft PPP dialer for dial-up connections • Ethernet for network connections • Microsoft Internet Explorer 5.0 or later Supported FortiGate models and FortiOS versions The FortiClient software supports: • all FortiGate models • FortiOS v2.36 • FortiOS v2.50 • FortiOS v2.80 Language Support FortiClient Host Security is localized for English, Simplified Chinese, and Japanese. The user interface, manual and online help are provided in English, Simplified Chinese, or Japanese. If the installation detects a Simplified Chinese or Japanese code page, the Simplified Chinese or Japanese version is installed. In all other cases, the English version is installed. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 7
  8. 8. Customizing the FortiClient installation package Installation Installing FortiClient on a single PC The software may not function properly with other VPN clients installed on the same computer. You should uninstall any other VPN clients such as SSH Sentinel before installing the FortiClient software. If you have an older version of FortiClient software on you computer, it will be uninstalled automatically. Note: Configuration data from FortiClient v1.2 and v1.6 will be kept and reused by v2.0. Configuration data from v1.0 cannot be reused by v2.0. To install the FortiClient software, run the FortiClient install program and follow the instructions on the screen. To complete the installation of the FortiClient software, you must reboot the computer and complete the following initial configuration. Note: The FortiClient software installs a virtual network adapter. The FortiClient virtual network adapter is not displayed in the Windows list of network adapters. To configure the FortiClient software after system reboot 1 On the FortiClient Configuration Wizard, select Basic Setup if you are installing FortiClient on a standalone computer, or select Advanced Setup if you are installing FortiClient on a computer in a network. 2 For Basic Setup, configure the update settings. For more update information, see “Update” on page 51. 3 For Advanced Setup, do the following: • Add IP addresses to FortiClient’s public, trusted, blocked zones. For more information, see “Configuring network security zones” on page 45. • If you computer uses a proxy server, enter the proxy server information. See “Configuring proxy server settings” on page 12. • Configure the update settings. See “Update” on page 51. Installing customized FortiClient using Active Directory Server The FortiClient installer is based on MSI technology. You can customize the FortiClient installation package and use the Active Directory Server to install different customized installation packages on different PCs. Customizing the FortiClient installation package To customize the FortiClient MSI installation package, use any MSI editor, such as InstallShield and Wise. The MSI file should not be edited directly. The recommended solution is to create a transform file that contains the configuration changes you need. The transform file is applied to the original MSI file at runtime by msiexec. Custom installations must conform to the following rules. • No feature is to be deleted. • No feature is to be added. FortiClient Host Security Version 2.0 MR1 User Guide 8 04-20001-0183-20051017
  9. 9. Installation Disabling VPN XAuth password saving • No feature is to be moved from one feature to another. • No component is to be deleted. • No component is to be added. • No component code (GUID) is to be modified. • No component is to be moved from one feature to another. • The shared state of a component must not be changed. Registry settings are only to be added to the following components: • REGISTRY_MST_FWSettings • REGISTRY_MST_AVSettings • REGISTRY_MST_VPNSettings • REGISTRY_MST_BHOSettings Caution: If you modify the MSI installation package, you may not be able to upgrade the ! FortiClient installation with newer FortiClient releases. Disabling VPN XAuth password saving The ability for a user to “save” the VPN XAuth password can now be disabled through a registry setting in a custom installation. To disable XAuth password saving 1 Create a custom MSI transform file. 2 Edit the LOCAL_MACHINESoftwareFortinetFortiClientFA_IKE registry key. 3 Add the value DontRememberPassword under the key. 4 Set the value of DontRememberPassword to 1. Running remote installation The following is a general description of how to deploy the FortiClient software to remote computers using Active Directory Server. For more details, see the Active Directory manuals or online help. To complete this procedure, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. To deploy FortiClient using Active Directory Server 1 Unzip the FortiClient MSI installation file to a share folder. 2 Open the Group Policy Object Editor. 3 Select Computer Configuration. 4 Select Software Settings. 5 Right-click Software Installation, select New, and then select Package. 6 Select the FortiClient MSI installation file and select Open. 7 In Deploy Software, select Assigned. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 9
  10. 10. Running remote installation Installation FortiClient Host Security Version 2.0 MR1 User Guide 10 04-20001-0183-20051017
  11. 11. Configuration Entering a license key Configuration This chapter describes the detailed FortiClient settings in the order of FortiClient GUI layout. • General Settings • VPN • Antivirus • Firewall • Web Filter • Update • Logs • Using the FortiClient system tray icon menus General Settings Use the General Settings page to: • set the FortiClient software to load automatically during startup, • enable or disable real-time antivirus protection, • enable or disable the Windows system startup list monitoring, • enter a product license key. • configure the proxy server settings. You can also use the General Settings page to view: • the current version and serial number of the FortiClient software, • the status of the VPN service, • the current version of the antivirus definition files, • the time of the last antivirus scan, • the status of the auto-update service. • the time of the last update. Entering a license key The FortiClient software uses license keys to distinguish between evaluation software and fully licensed software. With the evaluation version, you can only use DES for encryption and MD5 for authentication when you configure a VPN connection. After you register the software, you receive the license key from Fortinet. To enter a license key 1 On the General Settings page, select Enter License Key. 2 Enter the license key in the License Key field. 3 Select OK. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 11
  12. 12. Configuring proxy server settings Configuration Configuring proxy server settings If you use a proxy server for your LAN, you can specify the proxy server settings so that the FortiClient software can go through the proxy server to get antivirus signature updates and online SCEP. FortiClient software supports HTTP, SOCKS v4, and SOCKS v5 proxy protocols. To configure proxy server settings 1 Go to General > Connection. 2 Select Enable proxy for updates and/or Enable proxy for Online SCEP. 3 For Proxy Type, select HTPP, SOCK V4, or SOCK V5. 4 Enter the proxy server’s IP address and port number. 5 Enter the user name and password. 6 Select Apply. Note: You can get the proxy server information from your network administrator. FortiClient status icons The FortiClient status bar on the lower right corner displays the FortiClient status icons. The VPN service is running and there is an open connection. The VPN service is stopped. The antivirus scanning service is running. The antivirus scanning service is stopped. The update service is running. The update service is stopped. The real-time protection service is running. The real-time protection service is stopped. The firewall protection is enabled. The firewall protection is disabled. FortiClient Host Security Version 2.0 MR1 User Guide 12 04-20001-0183-20051017
  13. 13. Configuration Setting up a FortiClient-to-FortiGate VPN with manual configuration VPN By entering basic connection information and using the default settings, you can quickly set up a VPN tunnel between your computer and a network behind a FortiGate gateway. See “Setting up a FortiClient-to-FortiGate VPN with manual configuration” on page 13. If the FortiGate gateway runs as a VPN policy server that deploys the preconfigured VPN policies to FortiClient PCs, you can use the FortiClient automatic configuration feature. In this case, you only need to specify the FortiGate IP address to which the FortiClient software connects to download the VPN configuration. See “Setting up a FortiClient-to-FortiGate VPN with automatic configuration” on page 17. Note: FortiGate-to-FortiClient VPN policy deployment is a new feature of FortiOS v3.0. Contact Fortinet Technical Support for more details. If you are configuring a VPN to use either local digital certificates or smartcard/eToken certificate for authentication, see “Managing digital certificates” on page 29 before proceeding. Digital certificates are not required for configuring FortiClient VPN connections. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation. Setting up a FortiClient-to-FortiGate VPN with manual configuration This VPN configuration example uses default FortiClient settings and preshared keys for VPN authentication. To customize the FortiClient VPN settings or to use digital certificates for VPN authentication, see “Configuring the advanced VPN settings” on page 20 and “Managing digital certificates” on page 29. To set up a VPN connection, you must configure both the FortiClient and the FortiGate VPN settings. Configuring FortiClient VPN settings Go to VPN > Connections to add, delete, edit, or rename a VPN connection. To add a FortiClient to FortiGate VPN, you need to: • Set up the VPN tunnel from FortiClient to the remote FortiGate gateway. • Add the remote network IP addresses behind the remote gateway. • Get a virtual IP address that the FortiGate firewall administrator assigns to your FortiClient PC, unless you use DHCP over IPSec. • Configure Internet browsing over IPSec if you want to access the Internet through the VPN tunnel. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 13
  14. 14. Setting up a FortiClient-to-FortiGate VPN with manual configuration Configuration Figure 1: Creating a new VPN connection To create a FortiClient VPN configuration 1 Go to VPN > Connections. 2 Select Add. 3 Enter a descriptive name for the connection. 4 For Configuration, select Manual. 5 For Remote Gateway, enter the IP address or the fully qualified domain name (FQDN) of the remote gateway. 6 Enter the Remote Network information. This is the IP address and netmask of the network behind the FortiGate gateway. 7 Enter the Preshared key. The preshared key must be the same as the one used by the FortiGate VPN configuration. 8 Select OK. To add a remote network you can access 1 Go to VPN > Connections. 2 Select Add to add a new connection, or select Edit to edit a connection. 3 Select Advanced. 4 In the Advanced Settings dialog box, select Add. FortiClient Host Security Version 2.0 MR1 User Guide 14 04-20001-0183-20051017
  15. 15. Configuration Setting up a FortiClient-to-FortiGate VPN with manual configuration 5 In the Network Editor dialog box, enter the IP address and subnet mask of the remote network. You can enter multiple IP addresses behind the remote gateway. There are the IP addresses you can access through the VPN tunnel. 6 Select OK. To set the virtual IP address 1 Select a VPN and then select edit. 2 Select Advanced. 3 In the Advanced Settings dialog box, select Acquire Virtual IP Address and select Config. 4 In the Virtual IP Acquisition dialog box, select either DHCP over IPSec or manually set an IP. For details, see “Configuring Virtual IP address acquisition” on page 24. 5 Select OK. To use Internet browsing over IPSec 1 Select a VPN and then select edit. 2 Select Advanced. 3 In the Advanced Settings dialog box, select Add. 4 Enter 0.0.0.0./0.0.0.0 and select OK. Note: For the FortiClient PC to be able to use Internet browsing over IPSec, the remote FortiGate gateway must also be configured to allow such traffic. Configuring the FortiGate VPN settings To configure the FortiGate unit to accept FortiClient VPN connections, you need to: • configure the FortiGate Phase 1 VPN settings, • configure the FortiGate Phase 2 VPN settings, • add a firewall encryption policy. The default FortiGate phase 1 and 2 VPN settings match the default FortiClient VPN settings if you have a registered FortiClient version. You do not need to modify the default FortiGate VPN settings if you are using a FortiClient quick start configuration. Note: If you have the FortiClient evaluation version, you can only use DES for encryption and MD5 for authentication. Therefore, when you configure the FortiGate VPN settings, you must also select DES and MD5. The following procedures are applicable to v2.50 FortiGate gateways. For v2.80 FortiGate gateways, the procedures vary slightly. For detailed configuration information, see FortiGate VPN Guide. To configure phase 1 settings 1 Go to VPN > IPSEC > Phase 1. 2 Select Create New to create a new VPN gateway FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 15
  16. 16. Setting up a FortiClient-to-FortiGate VPN with manual configuration Configuration 3 Enter the following information and select OK. Gateway Name Enter a name for the remote FortiClient user, such as FortiClient_User1. Remote Select Dialup User. Gateway Mode Select Main Mode. Authentication Select Pre-shared Key. Method Pre-shared Key Enter the pre-shared key. Peer option Select Accept any peer ID. To configure phase 2 settings 1 Go to VPN > IPSec > Phase 2. 2 Select Create New to create a new VPN tunnel. 3 Enter the following information and select OK. Tunnel Name Enter a name for the VPN tunnel. Remote Select the gateway name you entered in phase 1 configuration. Gateway Concentrator Select None. To add a source address 1 Go to Firewall > Address. 2 Select Create New. 3 Enter an address name. 4 Enter the individual address or the subnet address that you want the dialup users to access through VPN. 5 Select OK. To add a destination address 1 Go to Firewall > Address > External. 2 Select New. 3 Enter an address name. 4 Enter the subnet IP address which will be used as the virtual IP addresses for the remote FortiClient PCs. This subnet should be different from the local FortiGate subnet. 5 Select OK. To add a firewall policy 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK. Source Internal Destination External Source Select the address name you added in “To add a source address” on Address Name page 16. FortiClient Host Security Version 2.0 MR1 User Guide 16 04-20001-0183-20051017
  17. 17. Configuration Setting up a FortiClient-to-FortiGate VPN with automatic configuration Destination Select the address name you added in “To add a destination address” on Address Name page 16. Schedule Always Service Any Action Encrypt VPN Tunnel Select the VPN tunnel you added in “To configure phase 2 settings” on page 16. Select Allow inbound and Allow outbound. Protection Optional Profile Log Traffic Optional 4 Move the encryption policy above the non-encrypt firewall policies in the policy list. Setting up a FortiClient-to-FortiGate VPN with automatic configuration If the remote FortiGate gateway is configured as a VPN policy deployment server, you can configure the FortiClient software to download the VPN policies from the FortiGate gateway. The policy server has a daemon running all the time for incoming policy download requests. This daemon communicates with the FortiClient PC to process user authentication, policy lookup, and delivery. After the policy is sent out, the daemon closes the SSL connection, and you can start up the VPN tunnel from the FortiClient side. Note: For VPNs with automatic configuration, only preshared keys are supported. Certificates are not supported. On the FortiClient side, you only need to create a VPN name and specify the IP address of the FortiGate gateway. To add a VPN with automatic configuration on the FortiClient PC 1 Go to VPN > Connections. 2 Select Add. 3 In the New Connection dialog box, enter a connection name. 4 For Configuration, select Automatic. 5 For Policy Server, enter the IP address or FQDN of the FortiGate gateway. 6 Select OK. Configuring the FortiGate gateway On the FortiGate side, you must do the following to configure the FortiGate gateway to work as a VPN policy server: 1 Add the FortiClient users to a user group for authentication. When the FortiClient users try to connect to the FortiGate gateway to download the VPN policies, they are challenged for user names and passwords. See “Configuring FortiGate user authentication” on page 18. 2 Create a dialup VPN. See “Configuring the FortiGate VPN settings” on page 15. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 17
  18. 18. Testing the connection Configuration 3 Create a firewall policy for the dialup VPN. See “To add a firewall policy” on page 16. Configuring FortiGate user authentication The FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also use the RADIUS and LDAP servers to authenticate users. To enable authentication, you must add user names to one or more user groups. You can also add RADIUS servers and LDAP servers to user groups. You can then select a user group when you require authentication. For more information, see the user authentication chapter of FortiGate Administration Guide. To add a FortiClient user to the FortiGate local user database 1 On the FortiGate web-based manager, go to User > Local. 2 Select Create New. 3 Enter a user name and a password. 4 Select OK. To add a user to a group 1 Go to User > User Group. 2 Select Create New to add a new user group, or select the Edit icon to edit a configuration. 3 Enter a Group Name to identify the user group. 4 To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list. 5 To add a RADIUS server to the user group, select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list. 6 To add an LDAP server to the user group, select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list. 7 To remove users, RADIUS servers, or LDAP servers from the user group, select a user, RADIUS server, or LDAP server from the Members list and select the left arrow to remove the name, RADIUS server, or LDAP server from the group. 8 Select a protection profile from the Protection Profiles list. 9 Select OK. Testing the connection After you configure both the FortiClient and FortiGate sides, you can test the VPN connection from your FortiClient PC. To test the connection 1 Go to VPN > Connections. 2 Select the connection you want to test. FortiClient Host Security Version 2.0 MR1 User Guide 18 04-20001-0183-20051017
  19. 19. Configuration Testing the connection 3 Select Test. A log window opens and begins to negotiate the VPN connection with the remote FortiGate unit. If the test is successful, the last line of the log will read “IKE daemon stopped”. Note: For a VPN with automatic configuration, the FortiClient software downloads the VPN policy first. To test the VPN connection, the FortiClient software attempts to negotiate the VPN connection but does not actually open a VPN connection. If the last line of the log reads “Next_time = x sec”, where x is an integer, the test was not successful. The FortiClient software is continuing to try to negotiate the connection. See “Troubleshooting” on page 28. 4 Select Close. Figure 2: A successful connection test FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 19
  20. 20. Connecting to the remote FortiGate network Configuration Figure 3: A failed connection test Connecting to the remote FortiGate network After you set up a VPN connection, you can start or stop the connection as required. To connect to a remote FortiGate gateway 1 Go to VPN > Connections. 2 Select the connection you want to start. 3 Select Connect. The FortiClient software opens a log window and begins to negotiate a VPN connection with the remote FortiGate firewall. If the negotiation is successful and the connection is established, the last line of the log will read “Negotiation Succeeded!” 4 Select OK or wait for the log window to close automatically. If the last line of the log is “Negotiation failed! Please check log” and the log window does not close automatically, the connection attempt failed. Test the connection to verify the configuration. See “Setting up a FortiClient-to- FortiGate VPN with automatic configuration” on page 17. 5 To stop the connection, select Disconnect. Configuring the advanced VPN settings You can configure the detailed IKE, IPSec parameters, and other advanced VPN settings. FortiClient Host Security Version 2.0 MR1 User Guide 20 04-20001-0183-20051017
  21. 21. Configuration Configuring the advanced VPN settings Configuring IKE and IPSec policies FortiClient has two preconfigured IKE and IPSec policies: • Use the Legacy policy for a VPN to a FortiGate unit running FortiOS v2.36, and for any Cisco gateways that only support legacy settings. • Use the Default policy for a VPN to a FortiGate unit running FortiOS v2.50 or higher. To modify the Legacy or Default policy settings 1 Go to VPN > Connections. 2 Select Add to add a new connection, or select Edit to edit a connection. 3 Select Advanced. 4 Under Policy, select Legacy or Default. The policy settings appear in the IKE and IPSec boxes. You can use the Legacy or Default policies. If you want to configure the detailed settings, continue with next step. 5 Under Policy, select Config. 6 In the Connection Detailed Settings dialog box, configure the settings in the following table. Select OK to save the settings. You can also select Legacy or Default to go back to the original legacy or default settings. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 21
  22. 22. Configuring the advanced VPN settings Configuration Figure 4: Editing the detailed configuration settings FortiClient Host Security Version 2.0 MR1 User Guide 22 04-20001-0183-20051017
  23. 23. Configuration Configuring the advanced VPN settings Table 1: FortiClient IKE settings correspond to FortiGate phase 1 settings IKE Proposals Add or delete encryption and authentication algorithms. The proposal list is used in the IKE negotiation between the FortiClient software and the remote FortiGate unit. The FortiClient software will propose the algorithm combinations in order, starting at the top of the list. The remote FortiGate gateway must use the same proposals. Mode Select either Main or Aggressive. Main mode provides an additional security feature called identity protection which hides the identities of the VPN peers so that they cannot be discovered by passive eavesdroppers. Main mode requires the exchange of more messages than Aggressive mode. It is also difficult to use efficiently when a VPN peer uses its identity as part of the authentication process. When using aggressive mode, the VPN peers exchange identifying information in the clear. DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5. • When the VPN peers have static IP addresses and use aggressive mode, select a single matching DH group. • When the VPN peers use aggressive mode in a dialup configuration, select up to three DH groups for the dialup server and select one DH group for the dialup user (client or gateway). • When the VPN peers employ main mode, you can select multiple DH groups. Key Life Enter the number in seconds. The keylife is the amount of time in seconds before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. P1 proposal keylife can be from 120 to 172,800 seconds. Local ID If you are using peer IDs for authentication, enter the peer ID FortiClient will use to authenticate itself to the remote FortiGate gateway. If you are using certificates for authentication, you can enter the local ID, which is the distinguished name (DN) of the local certificate. Note there is no limit to how many FortiClient peers can use the same local ID. Table 2: FortiClient IPSec settings correspond to FortiGate phase 2 settings IPSec Proposals Add or delete encryption and authentication algorithms. The remote FortiGate gateway must use the same proposals. DH Group Select one Diffie-Hellman group from DH group 1, 2, and 5. DH group 1 is least secure. DH group 5 is most secure. You cannot select multiple DH Groups. The remote FortiGate gateway must use the same DH Group settings. Key Life Select either Seconds or KBytes for the keylife, or select both. The keylife causes the IPSec key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed. When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 2147483648 kbytes. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 23
  24. 24. Configuring the advanced VPN settings Configuration Table 3: FortiClient advanced VPN settings Replay Detection With replay detection, the FortiClient software checks the sequence number of every IPSec packet to see if it has been previously received. If the same packets exceed a specified sequence range, the FortiClient software discards them. PFS Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. NAT Traversal Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect. If you enable NAT traversal, you can set the keepalive frequency. NAT traversal is enabled by default. Keepalive If NAT Traversal is selected, enter the Keepalive Frequency in Frequency seconds. The keepalive frequency specifies how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until the IKE and IPSec keylife expires. The keepalive frequency can be from 0 to 900 seconds. Autokey Keep Alive Enable this option to keep the VPN connection open even if no data is being transferred. Dead Peer Enable this option to clean up dead VPN connections and establish Detection new VPN connections. Configuring Virtual IP address acquisition The FortiClient software supports two methods for virtual IP address acquisition: dynamic host configuration protocol (DHCP) over IPSec and manual entry. Select the DHCP over IPSec option to allow the DHCP server in the remote network to dynamically assign an IP address to your FortiClient computer after the VPN connection is established. Select the Manually Set option to manually specify a virtual IP address for your FortiClient computer. This virtual IP address must be an actual address in the remote network. You can specify the DNS and WINS server IP addresses of the remote network. For information about how to configure the FortiGate gateway, see FortiGate Administration Guide and FortiGate VPN Guide. Note: If you are connecting to a v2.50 FortiGate gateway, you cannot set the virtual IP address to be in the same subnet of the remote network, because the v2.50 FortiGate gateway does not support proxy ARP. If you are connecting to a v2.80 FortiGate gateway, consult your network administrator for a proper virtual IP address. FortiClient Host Security Version 2.0 MR1 User Guide 24 04-20001-0183-20051017
  25. 25. Configuration Configuring the advanced VPN settings Figure 5: Configuring virtual IP address acquisition To configure virtual IP address acquisition 1 Go to VPN > Connections. 2 Select Add to add a new connection, or select Edit to edit an existing connection. 3 Select Advanced. 4 In the Advanced Settings dialog box, select Acquire virtual IP address. 5 Select Config. 6 Select Dynamic Host Configuration Protocol (DHCP) over IPSec or Manually Set. The default is DHCP. 7 If you select Manually Set, enter the IP address and subnet mask. Optionally specify the DNS and WINS server IP addresses. 8 Select OK. Configuring eXtended authentication (XAuth) If the remote FortiGate unit is configured as an XAuth server, it will require the FortiClient software to provide a user name and password when a VPN connection is attempted. The user name and password are defined by the XAuth server. They can be saved as part of an advanced VPN configuration, or they can be entered manually every time a connection is attempted. For information about how to configure the XAuth server, see FortiGate Administration Guide and FortiGate VPN Guide. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 25
  26. 26. Monitoring VPN connections Configuration Figure 6: Configuring eXtended authentication To configure XAuth 1 Go to VPN > Connections. 2 Select Add to add a new connection, or select Edit to edit a connection. 3 Select Advanced. 4 In the Advanced Settings dialog box, select Config for eXtended Authentication. 5 In the Extended Authentication dialog box, do one of the following: • If you want to enter the login user name and password for each VPN connection, select Prompt to login. When prompted to log in, you can select the password saving option so that you do not have to enter the password the next time you are prompted to log in. • If you want to save the login user name and password, clear Prompt to login and enter the user name and password. 6 Select OK. Monitoring VPN connections Go to VPN > Monitor to view current VPN connection and traffic information. FortiClient Host Security Version 2.0 MR1 User Guide 26 04-20001-0183-20051017
  27. 27. Configuration Monitoring VPN connections Figure 7: VPN Monitor For the current connection, you can view the following information. Name The name of the current VPN connection. Local Gateway The IP address of the local gateway (the FortiClient computer). Remote The IP address of the remote gateway (the FortiGate unit). Time Out (sec) The remaining lifetime of the VPN connection. For the incoming VPN traffic, you can view the following information. Packets The number of packets received. Bytes The number of bytes received. Encryption The encryption algorithm and key. Authentication The authentication algorithm and key. For the outgoing VPN traffic, you can view the following information. Packets The number of packets sent. Bytes The of number bytes sent. Encryption The encryption algorithm and key. Authentication The authentication algorithm and key. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 27
  28. 28. Exporting and importing VPN policy files Configuration Viewing the traffic summary The traffic summary displays a graph of the incoming and outgoing VPN traffic. The left column displays incoming traffic and the right column displays outgoing traffic. The total number of incoming and outgoing bytes transferred is also displayed. Note: When traffic is transferred over an open VPN connection, the FortiClient system tray icon will change to a traffic summary graph. The red column indicates incoming traffic. The green column indicates outgoing traffic. Exporting and importing VPN policy files You can export a VPN policy file to your local or network computer as a backup of the VPN configuration settings. If required, you can import this file back to your local FortiClient PC or to other FortiClient PCs. To export a VPN policy file 1 Go to VPN > Connections. 2 Select the connection for which you want to export the VPN policy file. 3 Select Export. 4 Select a file folder and enter a file name. 5 Select Save. To import a VPN policy file 1 Select Import. 2 Locate the file and select Open. Note: If the imported file has the same file name as an existing connection, it will overwrite the existing one. Troubleshooting Most connection failures are due to a configuration mismatch between the remote FortiGate unit and the FortiClient software. The following are some tips to troubleshoot a VPN connection failure: • PING the remote FortiGate firewall from the FortiClient computer to verify you have a working route between the two. • Check the FortiClient software configuration. Some common FortiClient software configuration errors are listed in Table 4. • Check the FortiGate firewall configuration. Some common FortiGate Antivirus Firewall configuration errors are listed in Table 5. FortiClient Host Security Version 2.0 MR1 User Guide 28 04-20001-0183-20051017
  29. 29. Configuration Starting up VPN before logging on to Windows Table 4: Common FortiClient software configuration errors Configuration Error Correction Wrong remote network information. Check the IP addresses of the remote gateway and network. Wrong preshared key. Reenter the preshared key. Wrong Aggressive Mode peer ID. Reset to the correct Peer ID. Mismatched IKE or IPSec proposal Make sure both the FortiClient software and combination in the proposal lists. the remote FortiGate gateway use the same proposals. Wrong or mismatched IKE or IPSec Make sure you select the correct DH group on Diffie-Hellman group. both ends. No Perfect Forward Secrecy (PFS) when Enable PFS. it is required. Table 5: Common FortiGate Antivirus Firewall configuration errors Configuration Error Correction Wrong direction of the encryption policy. Change the policy to internal-to-external. For example, external-to-internal instead of internal-to-external. Wrong firewall policy source and Reenter the source and destination address. destination addresses. Wrong order of the encryption policy in The encryption policy must be placed above the firewall policy table. other non-encryption policies. Starting up VPN before logging on to Windows If you need to log on to a Windows domain through a VPN when you start up your Windows workstation, select the Start VPN before logging on to Windows option on the VPN > Connections page. The VPN tunnel will start up prior to Windows logon, so that you can be authenticated by the domain through the VPN tunnel. Note: To use the VPN tunnel before you log on to a domain, you must activate a virtual adapter. Therefore, you must also use the virtual IP acquisition feature. See “Configuring Virtual IP address acquisition” on page 24. Managing digital certificates To use local or smartcard digital certificates, you need: • a signed certificate, • the certificate authority (CA) certificates for any CAs you are using, • any applicable certificate revocation lists (CRLs). Getting a signed smartcard certificate Getting a signed local certificate If you want to have a local certificate signed by the CA server and then import it into FortiClient, following the steps below. The FortiClient software can use a manual, file based enrollment method or the simple certificate enrollment protocol (SCEP) to get certificates. SCEP is simpler, but can only be used if the CA supports SCEP. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 29
  30. 30. Managing digital certificates Configuration File-based enrollment requires copying and pasting text files from the local computer to the CA, and from the CA to the local computer. SCEP automates this process but CRLs must still be manually copied and pasted between the CA and the local computer. Note: The digital certificates must comply with the X.509 standard. General steps to get a signed local certificate 1 Generate the local certificate request. See “To generate a local certificate request” on page 30. 2 Export the local certificate request to a .csr file. See “To export the local certificate request” on page 31. 3 Send the signed local certificate request to a CA. See “To send the certificate request to a CA” on page 32. 4 Retrieve the signed certificate from a CA. See “To retrieve the signed local certificate from the CA” on page 32. 5 Import the signed local certificate into FortiClient. You can also backup the certificate by exporting it. See “To import the signed local certificate” on page 32 and “To export the signed local certificate” on page 32. Figure 8: Generating a local certificate request To generate a local certificate request 1 Go to VPN > My Certificates. 2 Select Generate. 3 Enter a Certificate Name. FortiClient Host Security Version 2.0 MR1 User Guide 30 04-20001-0183-20051017
  31. 31. Configuration Managing digital certificates 4 Under subject information, select the ID Type for the subject. You can select from domain name, email address or IP address. 5 Enter the information for the ID type that you selected. Domain name If you selected domain name, enter the fully qualified domain name of the FortiClient computer being certified. Email address If you selected email address, enter the email address of the owner of the FortiClient computer being certified. IP address If you selected IP address, enter the IP address of the FortiClient computer being certified. 6 Optionally select Advanced and enter the advanced setting information. Email Enter a contact email address for the FortiClient computer user. Department Enter a name that identifies the department or unit within the organization requesting the certificate for the FortiClient computer (such as Manufacturing or MF). Company Enter the legal name of the organization requesting the certificate for the FortiClient computer. City Enter the name of the city or town where the FortiClient Computer is located. State/Province Enter the name of the state or province where the FortiClient computer is located. Country Enter the name of the country where the FortiClient computer is located. 7 Select OK. The FortiClient software generates 1024bit keys. 8 Select either File Based or Online SCEP as the enrollment method. 9 If you select file based enrollment, the private/public key pair is generated and the certificate request is displayed in the My Certificates list with the type of Request. Continue with “To export the local certificate request”. 10 If you select Online SCEP as the enrollment method, select an issuer CA from the list provided or enter the URL of the CA server. If the FortiClient computer uses a proxy server, you must configure the proxy server settings before you can use online SCEP. See “Configuring proxy server settings” on page 12. 11 Select OK to generate the private and public key pair and the certificate request. The FortiClient software: • submits the local certificate request, • retrieves and imports the signed local certificate, • retrieves and imports the CA certificate. The signed local certificate is displayed on the Local Certificates list with the type of Certificate. The CA certificate is displayed on the CA Certificates list. The expiration dates of the certificates are listed in the Valid To column of each list. Continue with “Getting a CRL” on page 34. To export the local certificate request 1 Go to VPN > My Certificates. 2 From the certificate list, select the local certificate to export. 3 Select Export. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 31
  32. 32. Managing digital certificates Configuration 4 Name the file and save it in a directory on the FortiClient computer. After exporting the certificate request, you can submit it to the CA so that the CA can sign the certificate. To send the certificate request to a CA 1 On the FortiClient computer, open the local certificate request using a text editor. 2 Connect to the CA web server. 3 Follow the CA web server instructions to: • add a base64 encoded PKCS#10 certificate request to the CA web server, • paste the certificate request to the CA web server, • submit the certificate request to the CA web server. To retrieve the signed local certificate from the CA After you receive notification from the CA that it has signed the certificate request, connect to the CA web server and download the signed local certificate to the FortiClient computer. To import the signed local certificate 1 Go to VPN > My Certificates. 2 Select Import. 3 Enter the path or browse to locate the signed local certificate on the FortiClient computer. 4 Select OK. The signed local certificate is displayed on the Local Certificates list with the type of Certificate showing in the certificate list. The expiration date of the certificate is listed in the Valid To column. To export the signed local certificate 1 Go to VPN > My Certificates. 2 Select the certificate and select Export. 3 In the Save As dialog box, select the folder where you want to save the file. 4 Enter a file name. 5 Select either PKCS7 or PKCS12. If you select PKCS12, you must enter a password. 6 Select Save. Getting a signed smartcard certificate If you are using a USB token (smartcard) certificate for authentication, you must also have the certificate signed by the CA server and install the signed certificate on you token. The following procedures uses a Windows 2000 Advanced Server as an example. Note: Current FortiClient releases support the Aladdin eToken PRO series USB tokens. FortiClient Host Security Version 2.0 MR1 User Guide 32 04-20001-0183-20051017
  33. 33. Configuration Managing digital certificates General steps to get a signed smartcard certificate 1 Send the certificate request to the CA server. See “To send a certificate request” on page 33. 2 Install the signed certificate on the token. See “To install a certificate” on page 33. To send a certificate request 1 Log on to the CA server, for example, http://<CA_server>/certsrv. 2 Select Request a certificate, then select next. 3 Select Advanced request, then select next. 4 Select Submit a certificate request to this CA using a form. 5 In the request form: • Enter the identifying information. • For Intended Purpose, select Client Authentication Certificate. • For CSP, select eToken Base Cryptographic Provider. • Leave all other default settings. 6 Select Submit. 7 When prompted to enter the eToken password, enter the password. If you have not plugged the USB token into your computer’s USB port, you must do so now. Then the CA Web page displays that your certificate request has been received. To install a certificate 1 Log on to the CA Server if the certificate has been signed. 2 Select Checking on a pending certificate, then select Next. 3 Select the certificate request, then select Next. 4 Select Install this certificate to install the certificate to the USB token. Getting a CA certificate For the FortiClient software and the FortiGate gateway to authenticate themselves to each other, they must both have a CA certificate from the same CA. The FortiClient computer obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiClient computer. Note: The CA certificate must comply with the X.509 standard. To retrieve the CA certificate 1 Connect to the CA web server. 2 Follow the CA web server instructions to download the CA certificate. To import the CA certificate 1 Go to VPN > CA Certificates. 2 Select Import. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 33
  34. 34. Scanning for viruses Configuration 3 Enter the path or browse to locate the CA certificate on the FortiClient computer. 4 Select OK. The CA certificate is displayed on the CA Certificates list. The expiration date of the certificate is listed in the Valid To column. Getting a CRL A CRL is a list of CA certificate subscribers paired with digital certificate status. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them. The FortiClient software uses the CRL to ensure that the certificates belonging to the CA and the remote VPN peer are valid. To retrieve the CRL 1 Connect to the CA web server. 2 Follow the CA web server instructions to download the CRL. To import the CRL 1 Go to VPN > CRL. 2 Select Import. 3 Enter the path or browse to locate the CRL on the FortiClient computer. 4 Select OK. The CRL is displayed on the CRL list. Antivirus Using the FortiClient antivirus feature, you can protect your computer by regularly scanning the computer for viruses. The FortiClient software can also perform real- time virus protection and monitor Windows Registry changes. Scanning for viruses You can run a quick scan to detect the most malicious viruses and worms. You can also set up scan schedules and scan the files in a specified folder. FortiClient Host Security Version 2.0 MR1 User Guide 34 04-20001-0183-20051017
  35. 35. Configuration Scanning for viruses Figure 9: Scanning for viruses To run a quick scan 1 Go to Antivirus > Scan. 2 Select Quick Scan. The Antivirus Scanning dialog box opens, displaying the scanning process and results. 3 To stop the scanning process, select Stop. 4 To view the detailed summary of the scanning process after the scan is finished, select View Result. The infected file list displays the names of any infected files. Depending on the option you choose on the Antivirus Settings tab, the FortiClient software does one of the following when it finds any viruses: • Displays a virus alert message. • Quarantines the virus-infected file. • Cleans the virus-infected file. For information about how to configure what happens when the FortiClient software finds a virus, see “Configuring antivirus settings” on page 36. To scan files in a specified directory 1 Under File System Scan, select Browse to locate the directory to scan. 2 Select Scan Now. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 35

×