Sannu duka! Wannan labarin zai sake nazarin ayyukan VPN a cikin samfurin Sophos XG Firewall. A baya
Da farko, bari mu kalli teburin bayar da lasisi:
Kuna iya karanta ƙarin game da yadda Sophos XG Firewall ke da lasisi anan:
Amma a cikin wannan labarin za mu yi sha'awar kawai a cikin waɗannan abubuwan da aka nuna a cikin ja.
Babban aikin VPN an haɗa shi cikin lasisi na asali kuma ana siya sau ɗaya kawai. Wannan lasisin rayuwa ne kuma baya buƙatar sabuntawa. Tsarin Zaɓuɓɓukan VPN na Base ya haɗa da:
Wuri zuwa Wuri:
- SSL VPN
- IPSec VPN
Samun Nesa (VPN abokin ciniki):
- SSL VPN
- IPsec VPN mara amfani (tare da aikace-aikacen al'ada kyauta)
- L2TP
- PPTP
Kamar yadda kake gani, duk sanannun ladabi da nau'ikan haɗin VPN ana tallafawa.
Hakanan, Sophos XG Firewall yana da ƙarin nau'ikan haɗin haɗin VPN guda biyu waɗanda ba a haɗa su a cikin biyan kuɗi na asali ba. Waɗannan su ne RED VPN da HTML5 VPN. Waɗannan haɗin yanar gizo na VPN an haɗa su a cikin rajistar Kariyar hanyar sadarwa, wanda ke nufin cewa don amfani da waɗannan nau'ikan dole ne ku sami rajista mai aiki, wanda kuma ya haɗa da ayyukan kariya na cibiyar sadarwa - IPS da ATP modules.
RED VPN mai mallakar L2 VPN ne daga Sophos. Irin wannan haɗin VPN yana da fa'idodi da yawa akan SSL-to-site SSL ko IPSec lokacin kafa VPN tsakanin XG guda biyu. Ba kamar IPSec ba, ramin RED yana ƙirƙirar ƙirar ƙira a duka ƙarshen rami, wanda ke taimakawa tare da matsalolin matsala, kuma ba kamar SSL ba, wannan ƙirar kama-da-wane gaba ɗaya ana iya daidaita shi. Mai gudanarwa yana da cikakken iko akan rukunin yanar gizon da ke cikin ramin RED, wanda ke sauƙaƙa warware matsalolin da ake kai wa da kuma rikice-rikice na subnet.
HTML5 VPN ko VPN maras amfani - takamaiman nau'in VPN wanda ke ba ku damar tura sabis ta hanyar HTML5 kai tsaye a cikin mai bincike. Nau'in ayyukan da za a iya daidaita su:
- RDP
- Telnet
- SSH
- VNC
- FTP
- FTPS
- SFTP
- SMB
Amma yana da daraja la'akari da cewa ana amfani da irin wannan nau'in VPN kawai a lokuta na musamman kuma ana bada shawara, idan zai yiwu, don amfani da nau'in VPN daga jerin da ke sama.
Yi aiki
Bari mu kalli yadda ake daidaita da yawa daga cikin irin waɗannan ramuka, wato: Site-to-Site IPSec da SSL VPN Remote Access.
Yanar gizo-zuwa-Gidan IPSec VPN
Bari mu fara da yadda ake saita rami-zuwa-Gidan IPSec VPN rami tsakanin Sophos XG Firewalls guda biyu. Ƙarƙashin kaho yana amfani da strongSwan, wanda ke ba ka damar haɗi zuwa kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa na IPSec.
Kuna iya amfani da mayen saiti mai dacewa da sauri, amma za mu bi hanyar gabaɗaya ta yadda, dangane da waɗannan umarnin, zaku iya haɗa Sophos XG tare da kowane kayan aiki ta amfani da IPSec.
Bari mu buɗe taga saitunan manufofin:
Kamar yadda muke iya gani, akwai saitunan da aka saita, amma za mu ƙirƙiri namu.
Bari mu saita sigogin ɓoyewa don matakan farko da na biyu kuma mu adana manufofin. Ta hanyar kwatankwacin, muna yin matakai iri ɗaya akan Sophos XG na biyu kuma mu matsa zuwa kafa ramin IPSec kanta.
Shigar da sunan, yanayin aiki kuma saita sigogin ɓoyewa. Misali, za mu yi amfani da Maɓallin Preshared
da kuma nuna na gida da na nesa.
An ƙirƙiri haɗin gwiwarmu
Ta hanyar kwatankwacin, muna yin saitunan iri ɗaya akan Sophos XG na biyu, ban da yanayin aiki, a can za mu saita Initiate haɗin.
Yanzu muna da tunnels guda biyu da aka saita. Na gaba, muna buƙatar kunna su kuma mu gudanar da su. Ana yin wannan cikin sauƙi, kuna buƙatar danna kan da'irar ja a ƙarƙashin kalmar Active don kunnawa da kuma kan da'irar ja da ke ƙarƙashin Connection don fara haɗin.
Idan muka ga wannan hoton:
Wannan yana nufin rami namu yana aiki daidai. Idan mai nuna alama na biyu ja ne ko rawaya, to, wani abu ba daidai ba ne a tsara shi a cikin manufofin boye-boye ko na gida da na nesa. Bari in tunatar da ku cewa saitin sai an yi madubi.
Na dabam, Ina so in haskaka cewa zaku iya ƙirƙirar ƙungiyoyin Failover daga ramukan IPSec don haƙurin kuskure:
Samun Nesa SSL VPN
Bari mu matsa zuwa Nesa Samun SSL VPN don masu amfani. A ƙarƙashin kaho akwai daidaitaccen OpenVPN. Wannan yana bawa masu amfani damar haɗi ta kowane abokin ciniki wanda ke goyan bayan fayilolin sanyi na .ovpn (misali, daidaitaccen abokin ciniki na haɗin kai).
Da farko, kuna buƙatar saita manufofin uwar garken OpenVPN:
Ƙayyade sufuri don haɗi, saita tashar jiragen ruwa, kewayon adiresoshin IP don haɗa masu amfani da nesa
Hakanan zaka iya saka saitunan ɓoyewa.
Bayan kafa uwar garken, za mu ci gaba da kafa haɗin gwiwar abokin ciniki.
Kowane tsarin haɗin SSL VPN an ƙirƙira shi don ƙungiya ko don mai amfani ɗaya ɗaya. Kowane mai amfani zai iya samun manufofin haɗin kai ɗaya kawai. Bisa ga saitunan, abin da ke da ban sha'awa shi ne cewa kowane irin wannan doka za ku iya ƙayyade masu amfani da su waɗanda za su yi amfani da wannan saitin ko rukuni daga AD, za ku iya kunna akwati ta yadda duk zirga-zirgar ababen hawa ke nannade cikin rami na VPN ko saka adiresoshin IP, subnets ko sunayen FQDN akwai ga masu amfani. Dangane da waɗannan manufofin, bayanin martaba na .ovpn tare da saituna don abokin ciniki za a ƙirƙira ta atomatik.
Ta amfani da tashar mai amfani, mai amfani zai iya zazzage fayil ɗin .ovpn guda biyu tare da saituna don abokin ciniki na VPN, da fayil ɗin shigarwa abokin ciniki na VPN tare da ginanniyar fayil ɗin saitin haɗin kai.
ƙarshe
A cikin wannan labarin, mun ɗan taƙaita ayyukan VPN a cikin samfurin Sophos XG Firewall. Mun duba yadda zaku iya saita IPSec VPN da SSL VPN. Wannan ba cikakken jerin abin da wannan bayani zai iya yi ba. A cikin articles masu zuwa zan yi ƙoƙarin sake duba RED VPN kuma in nuna abin da yake kama da shi a cikin maganin kanta.
Na gode da lokacin ku.
Idan kuna da wasu tambayoyi game da sigar kasuwanci ta XG Firewall, zaku iya tuntuɓar mu, kamfanin
source: www.habr.com