Muna ci gaba da jerin labaran mu game da NGFW don ƙananan kasuwanci, bari in tunatar da ku cewa muna nazarin sabon jerin samfurin 1500. IN sake zagayowar, Na ambaci ɗayan zaɓuɓɓukan da suka fi amfani lokacin siyan na'urar SMB - wadatar ƙofofin tare da ginanniyar lasisin shiga Wayar hannu (daga masu amfani 100 zuwa 200, dangane da ƙirar). A cikin wannan labarin za mu dubi kafa VPN don jerin ƙofofin ƙofofin 1500 waɗanda suka zo tare da Gaia 80.20 da aka riga aka shigar. Ga taƙaitaccen bayani:
- Ayyukan VPN don SMB.
- Ƙungiya na Samun Nesa don ƙaramin ofis.
- Akwai abokan ciniki don haɗi.
1. Zaɓuɓɓukan VPN don SMB
Domin shirya kayan yau, jami'in sigar R80.20.05 (a halin yanzu a lokacin buga labarin). Saboda haka, dangane da VPN tare da Gaia 80.20 Embedded akwai tallafi don:
- Wurin-Zuwa-Shafi. Ƙirƙirar ramukan VPN tsakanin ofisoshin ku, inda masu amfani za su iya aiki kamar suna kan hanyar sadarwa "na gida".
- Samun Nisa. Haɗi mai nisa zuwa albarkatun ofis ɗin ku ta amfani da na'urorin ƙarshen masu amfani (kwamfutoci, wayoyin hannu, da sauransu). Bugu da ƙari, akwai SSL Network Extender, yana ba ku damar buga aikace-aikacen mutum ɗaya da gudanar da su ta amfani da Java Applet, haɗa ta SSL. Note: kar a ruɗe da Tashar Tashar Hannu ta Waya (babu tallafi ga Gaia Embedded).
bugu da žari Ina ba da shawarar kwas ɗin marubucin TS Solution - yana bayyana fasahar Check Point game da VPN, yana taɓa batutuwan lasisi kuma ya ƙunshi cikakkun umarnin saitin.
2. Nesa shiga don ƙananan ofis
Za mu fara tsara hanyar sadarwa mai nisa zuwa ofishin ku:
- Domin masu amfani su gina rami na VPN tare da ƙofa, kuna buƙatar samun adireshin IP na jama'a. Idan kun riga kun gama saitin farko ( daga sake zagayowar), to, a matsayin mai mulkin, External Link ya riga ya aiki. Ana iya samun bayanai ta hanyar zuwa Gaia Portal: Na'ura → Network → Intanet
Idan kamfanin ku yana amfani da adireshin IP na jama'a mai ƙarfi, to zaku iya saita Dynamic DNS. Je zuwa Na'ura → DDNS & Samun Na'ura
A halin yanzu akwai tallafi daga masu samarwa guda biyu: DynDns da no-ip.com. Don kunna zaɓin kuna buƙatar shigar da takaddun shaidarku (shiga, kalmar sirri).
- Na gaba, bari mu ƙirƙiri asusun mai amfani, zai zama da amfani don gwada saitunan: VPN → Samun Nesa → Masu amfani da Nisa
A cikin rukuni (misali: nesantaka) za mu ƙirƙiri mai amfani da bin umarnin da ke cikin hoton. Ƙirƙirar asusu daidaitaccen tsari ne, saita shiga da kalmar sirri, sannan kuma ba da damar zaɓin izinin shiga Nesa.
Idan kun yi nasarar aiwatar da saitunan, abubuwa biyu yakamata su bayyana: mai amfani na gida, ƙungiyar masu amfani na gida.
- Mataki na gaba shine zuwa VPN → Samun Nesa → Sarrafa ruwa. Tabbatar cewa an kunna ruwan ku kuma an ba da izinin zirga-zirga daga masu amfani da nesa.
- *Abin da ke sama shine mafi ƙanƙancin saiti na matakai don saita shiga Nesa. Amma kafin mu gwada haɗin, bari mu bincika saitunan ci gaba ta zuwa shafin VPN → Samun Nesa → Na ci gaba
Dangane da saitunan na yanzu, muna ganin cewa lokacin da masu amfani da nesa suka haɗa, za su karɓi adireshin IP daga cibiyar sadarwar 172.16.11.0/24, godiya ga zaɓin Yanayin Office. Wannan ya isa tare da ajiyar don amfani da lasisin gasa 200 (wanda aka nuna don 1590 NGFW Check Point).
Zaɓi "Hanyar zirga-zirgar Intanet daga abokan cinikin da aka haɗa ta wannan ƙofar" na zaɓi ne kuma yana da alhakin tafiyar da duk zirga-zirga daga mai amfani da nesa ta hanyar ƙofar (ciki har da haɗin Intanet). Wannan yana ba ku damar bincika zirga-zirgar mai amfani da kare wurin aikinsa daga barazana da malware daban-daban.
- * Yin aiki tare da manufofin samun dama don Samun Nisa
Bayan mun saita hanyar shiga nesa, an ƙirƙiri wata doka ta atomatik a matakin Firewall, don duba ta kuna buƙatar zuwa shafin: Hanyar shiga → Firewall → Policy
A wannan yanayin, masu amfani da nesa waɗanda ke cikin ƙungiyar da aka ƙirƙira a baya za su iya samun damar duk albarkatun cikin gida na kamfanin; lura cewa dokar tana cikin sashin gaba ɗaya. "Tsarin shigowa, Ciki da VPN". Domin ba da damar zirga-zirgar mai amfani da VPN zuwa Intanet, kuna buƙatar ƙirƙirar wata doka daban a cikin sashin gabaɗaya "Samun damar Intanet mai fita".
-
A ƙarshe, kawai muna buƙatar tabbatar da cewa mai amfani zai iya samun nasarar ƙirƙirar rami na VPN zuwa ƙofar NGFW ɗinmu kuma samun damar yin amfani da albarkatun cikin gida na kamfanin. Don yin wannan, kuna buƙatar shigar da abokin ciniki na VPN akan mai watsa shiri da ake gwadawa, ana ba da taimako Don lodawa. Bayan shigarwa, kuna buƙatar aiwatar da daidaitaccen tsari don ƙara sabon rukunin yanar gizo (nuna adireshin IP na jama'a na ƙofar ku). Don saukakawa, ana gabatar da tsarin a cikin tsarin GIF
Lokacin da aka riga an kafa haɗin, bari mu bincika adireshin IP ɗin da aka karɓa akan na'ura mai watsa shiri ta amfani da umarni a CMD: ipconfig
Mun tabbatar da cewa adaftar hanyar sadarwa ta kama-da-wane ta sami adireshin IP daga Yanayin Office na NGFW, an aika fakiti cikin nasara. Don kammala, za mu iya zuwa Gaia Portal: VPN → Samun Nesa → Masu amfani mai nisa da aka haɗa
Ana nuna mai amfani "ntuser" kamar yadda aka haɗa, bari mu duba shiga taron ta zuwa Logs & Sa ido → Rajistar Tsaro
An shigar da haɗin haɗin ta amfani da adireshin IP azaman tushen: 172.16.10.1 - wannan shine adireshin da mai amfani da mu ya karɓa ta Yanayin Office.
3. Abokan ciniki masu goyan baya don Samun Nisa
Bayan mun sake nazarin hanyar kafa hanyar haɗi mai nisa zuwa ofishin ku ta amfani da NGFW Check Point na dangin SMB, Ina so in rubuta game da tallafin abokin ciniki na na'urori daban-daban:
- Abokin Wayar hannu ( / )
- Abokin Asalin L2TP (Check Point yana da'awar goyan bayan ƙa'idar VPN ta asali ta Microsoft).
Daban-daban tsarin aiki da na'urori masu goyan baya za su ba ku damar cin gajiyar lasisin ku wanda ya zo tare da NGFW. Domin saita na'ura daban akwai zaɓi mai dacewa "Yadda ake haɗawa"
Yana haifar da matakai ta atomatik bisa ga saitunanku, wanda zai ba masu gudanarwa damar shigar da sababbin abokan ciniki ba tare da wata matsala ba.
Kammalawa: Don taƙaita wannan labarin, mun kalli iyawar VPN na dangin NGFW Check Point SMB. Bayan haka, mun bayyana matakan kafa Remote Access, dangane da haɗin nesa na masu amfani da ofishin, sannan mu yi nazarin kayan aikin sa ido. A ƙarshen labarin mun yi magana game da samuwa abokan ciniki da zaɓuɓɓukan haɗin kai don Samun Nisa. Don haka, ofishin reshe na ku zai iya tabbatar da ci gaba da tsaro na aikin ma'aikata ta amfani da fasahar VPN, duk da barazanar da dalilai na waje daban-daban.
. Ku kasance da mu (, , , , ).
source: www.habr.com