[轉貼]fortigate FG V4.0 LDAP VPN配置实例!
<p><a href="http://www.fortinet.org.cn/Support/1148.html">http://www.fortinet.org.cn/Support/1148.html</a></p><p> </p><h1>飞塔FG V4.0 LDAP VPN配置实例!</h1><p>
</p><div class="times">2011-06-02 15:24:50 来源:<a href="http://www.fortinet.org.cn/" target="_blank"><font color="#000080">FORTINET</font></a> 作者:<a href="mailto:"><font color="#000080">陶跃海</font></a> 点击数:
<script src="/e/public/ViewClick?classid=2&id=1148&addclick=1"></script>
317 评论:
<script src="/e/public/ViewClick?classid=2&id=1148&down=2"></script>
0 转发至:
<script type="text/javascript" charset="utf-8">
(function(){
var _w = 16 , _h = 16;
var param = {
url:location.href,
type:'3',
count:'', /**是否显示分享数,1显示(可选)*/
appkey:'', /**您申请的应用appkey,显示分享来源(可选)*/
title:'', /**分享的文字内容(可选,默认为所在页面的title)*/
pic:'', /**分享图片的路径(可选)*/
ralateUid:'1732910782', /**关联用户的UID,分享微博会@该用户(可选)*/
rnd:new Date().valueOf()
}
var temp = [];
for( var p in param ){
temp.push(p + '=' + encodeURIComponent( param[p] || '' ) )
}
document.write('<iframe allowTransparency="true" frameborder="0" scrolling="no" src="http://hits.sinajs.cn/A1/weiboshare.html?' + temp.join('&') + '" width="'+ _w+'" height="'+_h+'"></iframe>')
})()
</script>
<iframe height="16" src="http://hits.sinajs.cn/A1/weiboshare.html?url=http%3A%2F%2Fwww.fortinet.org.cn%2FSupport%2F1148.html&type=3&count=&appkey=&title=&pic=&ralateUid=1732910782&rnd=1318819185877" frameBorder="0" width="16" allowTransparency="" scrolling="no"></iframe> <a href="javascript:void(0)"><img alt="转播到腾讯微博" src="http://v.t.qq.com/share/images/s/weiboicon16.png"></a>
<script type="text/javascript">
function postToWb(){
var _t = encodeURI(document.title);
var _url = encodeURIComponent(document.location);
var _appkey = encodeURI("45768036e9b74be2a365753c4cf94723");//你从腾讯获得的appkey
var _pic = encodeURI('');//(例如:var _pic='图片url1|图片url2|图片url3....)
var _site = 'http://www.fortinet.org.cn';//你的网站地址
var _u = 'http://v.t.qq.com/share/share.php?title='+_t+'&url='+_url+'&appkey='+_appkey+'&site='+_site+'&pic='+_pic;
window.open( _u,'', 'width=700, height=680, top=0, left=0, toolbar=no, menubar=no, scrollbars=no, location=yes, resizable=no, status=no' );
}
</script>
<a title="分享到QQ空间" href="javascript:void(0);"><img alt="分享到QQ空间" src="http://qzonestyle.gtimg.cn/ac/qzone_v5/app/app_share/qz_logo.png"></a>
</div><p>
</p><div id="textbody" class="content">
<p> <span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>首先感谢</span><span lang="EN-US">FortiNet </span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>超级技术群的</span><span lang="EN-US">Vince </span><span style='font-family: Wingdings; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-char-type: symbol; mso-symbol-font-family: Wingdings;' lang="EN-US"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;">J</span></span></p>
<p class="MsoNormal"><span lang="EN-US"><?XML:NAMESPACE PREFIX = O /><O:p> </O:p></span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>之前</span><span lang="EN-US">beta</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>版本文档我已经删了,是因为一直在做从内到外的认证测试没有实际用</span><span lang="EN-US">VPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>测试。现在</span><span lang="EN-US">LDAP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>可以正常使用了。</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>实验环境:</span><span lang="EN-US"><O:p></O:p></span></p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>防火墙</span><span lang="EN-US">FG200B</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,系统为</span><span lang="EN-US">V4.0,build0313,110301 (MR2 Patch 4)</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>活动目录</span><span lang="EN-US">DC</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,系统为</span><span lang="EN-US">Windows Server 2008 R2</span></p>
<p class="MsoNormal"> <span lang="EN-US"><O:p> </O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">1、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>依次展开设置用户→远程→</span><span lang="EN-US">LDAP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>并新建</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">2、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>名称随意,这里是</span><span lang="EN-US">test<O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">3、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>服务器</span><span lang="EN-US">IP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>为</span><span lang="EN-US">DC</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的</span><span lang="EN-US">IP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>地址</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">4、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>端口为默认</span><span lang="EN-US">389<O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">5、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>普通名称为</span><span lang="EN-US">cn<O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">6、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>标示名称格式为</span><span lang="EN-US">DC=test,DC=com</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,假设</span><span lang="EN-US">FQDN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>为</span><span lang="EN-US">baidu.com</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,这里的格式就是</span><span lang="EN-US">DC=baidu,DC=com</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,按照实际域名为准</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">7、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>类型为常规</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">8、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>这里需要输入一个域中有可读权限的用户,一般输入域管理员即可,格式为</span><span lang="EN-US">administrator@test.com</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,并输入密码</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><!--[if !supportLists]--><span style='mso-fareast-font-family: "Times New Roman";' lang="EN-US"><span style="mso-list: Ignore;">9、<span style='font: 7pt/normal "Times New Roman"; font-size-adjust: none; font-stretch: normal;'>
</span></span></span><!--[endif]--><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>点击查询</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN1.jpg" src="http://www.fortinet.org.cn/d/file/Support/3f9e0b296dac200c91d409c20c62b1b6.jpg" width="580" height="352"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> 查询后的结果:</p>
<p class="MsoNormal"><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN2.jpg" src="http://www.fortinet.org.cn/d/file/Support/9371803544c890e0520d96a9cf482b3d.jpg" width="580" height="409"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>我们可以看到能读出</span><span lang="EN-US">AD</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>中相应的参数</span><span lang="EN-US"><O:p></O:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><O:p> </O:p></span></p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>接着依次展开设置用户→设置用户→设置用户并新建:</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>名称随意,点选</span><span lang="EN-US">LDAP server</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>并选择刚才建立的名为</span><span lang="EN-US">test</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的认证</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN3.jpg" src="http://www.fortinet.org.cn/d/file/Support/05ca7a1667347d6dffc783b968a8f6d1.jpg" width="580" height="233"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>接着一次展开设置用户→用户组→用户组并新建</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>名称随意,类别防火墙,加入刚才建立的用户</span><span lang="EN-US">test</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,下面的远端服务器选择最初建立的</span><span lang="EN-US">LDAP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>认证服务器也就是最初的</span><span lang="EN-US">test</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,后面选择</span><span lang="EN-US">Any 允許SSL-VPN輸入要勾對應VPN</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN4.jpg" src="http://www.fortinet.org.cn/d/file/Support/9faf458c866b44955b1bcf13d7ee4190.jpg" width="580" height="330"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>至此,</span><span lang="EN-US">LDAP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的认证和用户、用户组建立完毕,剩下的就是做针对</span><span lang="EN-US">SSLVPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的相关配置了。</span><span lang="EN-US"><O:p></O:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><O:p> </O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>依次展开防火墙→地址→地址并新建名为</span><span lang="EN-US">VPN user</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的地址范围</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN6.jpg" src="http://www.fortinet.org.cn/d/file/Support/7b095c52bcf258a42b93f64d3a8af1c5.jpg" width="556" height="195"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>依次展开虚拟专网→</span><span lang="EN-US">SSL</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>→设置并勾选启用</span><span lang="EN-US">SSL-VPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,</span><span lang="EN-US">IP</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>池选择刚建立的地址填写</span><span lang="EN-US">DNS</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN7.jpg" src="http://www.fortinet.org.cn/d/file/Support/96b2f03839332bb55d00a243c0a89963.jpg" width="580" height="368"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>再打开界面,选择</span><span lang="EN-US">setting</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>勾选相应的协议:</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN8.jpg" src="http://www.fortinet.org.cn/d/file/Support/8ed6d40beb2f838b358c57ba9363a844.jpg" width="504" height="255"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal">在右侧点击增加部件并选择通道模式</p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN9.jpg" src="http://www.fortinet.org.cn/d/file/Support/aa594f2eb26800336e5f61d1ba6a97fc.jpg" width="131" height="148"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal">设置通道模式</p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN10.jpg" src="http://www.fortinet.org.cn/d/file/Support/129ffb8b5f75d2143edac011c04a9c88.jpg" width="369" height="300"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>最后再建立一条地址段,此地址段为</span><span lang="EN-US">VPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>客户端接入之后需要与之通讯的网段,我们内网为</span><span lang="EN-US">1.0</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>网段,我们就建立一条</span><span lang="EN-US">1.0</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的网段:</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN11.jpg" src="http://www.fortinet.org.cn/d/file/Support/87c7374c8a06132d51f5019f44cad8a8.jpg" width="556" height="187"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>建立</span><span lang="EN-US">SSL VPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>策略:</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>从外部到内部,目的地址为刚才建立的内网</span><span lang="EN-US">1.0</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>网段,动作为</span><span lang="EN-US">SSL-VPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>,勾选用户认证,添加之前建立的</span><span lang="EN-US">VPN</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>组并赋予</span><span lang="EN-US">any</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的可用服务</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN12.jpg" src="http://www.fortinet.org.cn/d/file/Support/0af4633d3293cdec39aa3b722ad988ea.jpg" width="580" height="342"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>我们之前做了通道分割所以这里我们还要建立两条策略:</span><span lang="EN-US"><O:p></O:p></span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>通道模式是通过虚拟接口</span><span lang="EN-US">“ssl.root”</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>来与内网通讯的,所以要设置</span><span lang="EN-US">SSL.root</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>与其他接口之间的策略,策略的动作是</span><span lang="EN-US">Accept</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>即可。</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN13.jpg" src="http://www.fortinet.org.cn/d/file/Support/743cdf9ba24bc2c82b506f5554e24ff9.jpg" width="580" height="82"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>我们还需要对路由进行调整,添加一条到</span><span lang="EN-US">ssl.root</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>的静态路由:</span></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> </p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"><img alt="LDAP VPN14.jpg" src="http://www.fortinet.org.cn/d/file/Support/d1e48f10ec0e958f7596b2a206ea1a77.jpg" width="580" height="20"></p>
<p style="text-indent: -18pt; margin-left: 18pt; mso-list: l0 level1 lfo1; tab-stops: list 18.0pt;" class="MsoNormal"> <span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>在完成以上步骤后,用户就可以实现登录了,输入</span><span lang="EN-US"><a href="https://接口ip:10443/" target="_parent"><font color="#000080">https://</font></a><a href="https://接口ip:10443/" target="_parent"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";' lang="EN-US"><span lang="EN-US"><font color="#000080">接口</font></span></span></a><a href="https://接口ip:10443/" target="_parent"><font color="#000080">ip:10443</font></a></span></p>
<p class="MsoNormal"><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>注意端口缺省为</span><span lang="EN-US">10443</span><span style='font-family: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman";'>该端口可以在系统管理→管理员设置→设置中更改,输入一个有效的域用户名和密码即可登录。注:第一次登录浏览器需要安装客户端。</span></p>
<p class="MsoNormal"> </p></div>