ããã¢ã«ããããã¯ãŒã¯ã¹ã®ãã¡ã€ã¢ãŠã©ãŒã«ã«ã¯ããŸããŸãªå©ç¹ãããã«ãããããããRuNet ã«ã¯ãããã®ããã€ã¹ã®ã»ããã¢ããã«é¢ããè³æãããã®å®è£
ã®ãšã¯ã¹ããªãšã³ã¹ã説æããããã¹ããããŸããããŸããã ç§ãã¡ã¯ããã®ãã³ããŒã®æ©åšã䜿çšããäœæ¥äžã«èç©ããè³æãèŠçŽããããŸããŸãªãããžã§ã¯ãã®å®è£
äžã«ééããæ©èœã«ã€ããŠè©±ãããšã«ããŸããã
ãã ã¢ã«ã ãããã¯ãŒã¯ã«ã€ããŠçŽ¹ä»ããããã«ããã®èšäºã§ã¯ããã¡ã€ã¢ãŠã©ãŒã«ã®æãäžè¬çãªåé¡ã® XNUMX ã€ã§ãããªã¢ãŒã ã¢ã¯ã»ã¹çšã® SSL VPN ã解決ããããã«å¿
èŠãªæ§æã«ã€ããŠèª¬æããŸãã ãŸããäžè¬çãªãã¡ã€ã¢ãŠã©ãŒã«æ§æããŠãŒã¶ãŒèå¥ãã¢ããªã±ãŒã·ã§ã³ãã»ãã¥ãªã㣠ããªã·ãŒã«é¢ãããŠãŒãã£ãªãã£æ©èœã«ã€ããŠã説æããŸãã ãã®ãããã¯ãèªè
ã®èå³ãåŒãå Žåã¯ãå°æ¥çã«ããµã€ãé VPNãåçã«ãŒãã£ã³ã°ãããã³ Panorama ã䜿çšããéäžç®¡çãåæããè³æããªãªãŒã¹ããäºå®ã§ãã
ããã¢ã«ããããã¯ãŒã¯ã¹ã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãApp-IDãUser-IDãContent-ID ãªã©ã®å€ãã®é©æ°çãªãã¯ãããžãŒã䜿çšããŠããŸãã ãã®æ©èœãå©çšããããšã§ãé«ãã»ãã¥ãªãã£ã確ä¿ã§ããŸãã ããšãã°ãApp-ID ã䜿çšãããšãSSL ãã³ãã«å
ãå«ãã䜿çšãããããŒãããããã³ã«ã«é¢ä¿ãªãã眲åããã³ãŒãããã¥ãŒãªã¹ãã£ãã¯ã«åºã¥ããŠã¢ããªã±ãŒã·ã§ã³ ãã©ãã£ãã¯ãèå¥ã§ããŸãã User-ID ã䜿çšãããšãLDAP çµ±åãéããŠãããã¯ãŒã¯ ãŠãŒã¶ãŒãèå¥ã§ããŸãã Content-ID ã䜿çšãããšããã©ãã£ãã¯ãã¹ãã£ã³ããéä¿¡ããããã¡ã€ã«ãšãã®å
容ãèå¥ã§ããããã«ãªããŸãã ãã®ä»ã®ãã¡ã€ã¢ãŠã©ãŒã«æ©èœã«ã¯ã䟵å
¥ä¿è·ãè匱æ§ããã³ DoS æ»æã«å¯Ÿããä¿è·ãçµã¿èŸŒã¿ã®ã¹ãã€ãŠã§ã¢å¯ŸçãURL ãã£ã«ã¿ãªã³ã°ãã¯ã©ã¹ã¿ãªã³ã°ãéäžç®¡çãªã©ããããŸãã
ãã¢ã³ã¹ãã¬ãŒã·ã§ã³ã§ã¯ãããã€ã¹åãAD ãã¡ã€ã³åãIP ã¢ãã¬ã¹ãé€ããå®éã®ã¹ã¿ã³ããšåäžã®æ§æãæã€åé¢ã¹ã¿ã³ãã䜿çšããŸãã å®éã«ã¯ããã¹ãŠãããè€éã§ããå€ãã®åå²ãååšããå¯èœæ§ããããŸãã ãã®å Žåãåäžã®ãã¡ã€ã¢ãŠã©ãŒã«ã®ä»£ããã«ã¯ã©ã¹ã¿ãŒãäžå€®ãµã€ãã®å¢çã«ã€ã³ã¹ããŒã«ãããåçã«ãŒãã£ã³ã°ãå¿ èŠã«ãªãå ŽåããããŸãã
ã¹ã¿ã³ãã§äœ¿çš ãã³ OS 7.1.9ã äžè¬çãªæ§æãšããŠããšããžã«ããã¢ã«ããããã¯ãŒã¯ã®ãã¡ã€ã¢ãŠã©ãŒã«ãåãããããã¯ãŒã¯ãèããŠã¿ãŸãããã ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãæ¬ç€Ÿãžã®ãªã¢ãŒã SSL VPN ã¢ã¯ã»ã¹ãæäŸããŸãã Active Directory ãã¡ã€ã³ã¯ãŠãŒã¶ãŒ ããŒã¿ããŒã¹ãšããŠäœ¿çšãããŸã (å³ 1)ã
å³ 1 â ãããã¯ãŒã¯ã®ãããã¯å³
ã»ããã¢ããæé :
- ããã€ã¹ã®äºåæ§æã ååã管çIPã¢ãã¬ã¹ãéçã«ãŒãã管çè ã¢ã«ãŠã³ãã管çãããã¡ã€ã«ã®èšå®
- ã©ã€ã»ã³ã¹ã®ã€ã³ã¹ããŒã«ãã¢ããããŒãã®æ§æãšã€ã³ã¹ããŒã«
- ã»ãã¥ãªã㣠ãŸãŒã³ããããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ããã©ãã£ã㯠ããªã·ãŒãã¢ãã¬ã¹å€æã®æ§æ
- LDAP èªèšŒãããã¡ã€ã«ãšãŠãŒã¶ãŒèå¥æ©èœã®æ§æ
- SSL VPN ã®ã»ããã¢ãã
1. ããªã»ãã
Palo Alto Networks ãã¡ã€ã¢ãŠã©ãŒã«ãèšå®ããããã®äž»ãªããŒã«ã¯ Web ã€ã³ã¿ãŒãã§ã€ã¹ã§ãããCLI ãä»ãã管çãå¯èœã§ãã ããã©ã«ãã§ã¯ã管çã€ã³ã¿ãŒãã§ã€ã¹ã¯ IP ã¢ãã¬ã¹ 192.168.1.1/24ããã°ã€ã³: adminããã¹ã¯ãŒã: admin ã«èšå®ãããŠããŸãã
ã¢ãã¬ã¹ãå€æŽããã«ã¯ãåããããã¯ãŒã¯ãã Web ã€ã³ã¿ãŒãã§ã€ã¹ã«æ¥ç¶ãããã次ã®ã³ãã³ãã䜿çšããŸãã set deviceconfig ã·ã¹ãã ã® IP ã¢ãã¬ã¹ <> ããããã¹ã¯ <>ã ããã¯èšå®ã¢ãŒãã§å®è¡ãããŸãã èšå®ã¢ãŒãã«åãæ¿ããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŸãã configureã ãã¡ã€ã¢ãŠã©ãŒã«äžã®ãã¹ãŠã®å€æŽã¯ãã³ãã³ãã«ãã£ãŠèšå®ã確èªãããåŸã«ã®ã¿è¡ãããŸãã ã³ããããã³ãã³ãã©ã€ã³ã¢ãŒããšWebã€ã³ã¿ãŒãã§ã€ã¹ã®äž¡æ¹ã§ã
Web ã€ã³ã¿ãŒãã§ã€ã¹ã®èšå®ãå€æŽããã«ã¯ãã»ã¯ã·ã§ã³ã䜿çšããŸã ããã€ã¹ -> äžè¬èšå®ããã³ããã€ã¹ -> 管çã€ã³ã¿ãŒãã§ã€ã¹èšå®ã ååããããŒãã¿ã€ã ãŸãŒã³ãªã©ã®èšå®ã¯ããäžè¬èšå®ãã»ã¯ã·ã§ã³ã§èšå®ã§ããŸã(å³2)ã
å³ 2 â 管çã€ã³ã¿ãŒãã§ã€ã¹ã®ãã©ã¡ãŒã¿
ESXi ç°å¢ã§ä»®æ³ãã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããå Žåã¯ããäžè¬èšå®ãã»ã¯ã·ã§ã³ã§ããã€ããŒãã€ã¶ãŒã«ãã£ãŠå²ãåœãŠããã MAC ã¢ãã¬ã¹ã®äœ¿çšãæå¹ã«ãããããã€ããŒãã€ã¶ãŒã®ãã¡ã€ã¢ãŠã©ãŒã« ã€ã³ã¿ãŒãã§ã€ã¹ã§æå®ããã MAC ã¢ãã¬ã¹ãæ§æãããããŸãã¯ãã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ãå€æŽããå¿ èŠããããŸããä»®æ³ã¹ã€ãã㯠MAC ã«ããã¢ãã¬ã¹ã®å€æŽãèš±å¯ããŸãã ããããªããšããã©ãã£ãã¯ãééã§ããªããªããŸãã
管çã€ã³ã¿ãŒãã§ã€ã¹ã¯åå¥ã«èšå®ããããããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ã®ãªã¹ãã«ã¯è¡šç€ºãããŸããã ç« å 管çã€ã³ã¿ãŒãã§ã€ã¹ã®èšå® 管çã€ã³ã¿ãŒãã§ã€ã¹ã®ããã©ã«ã ã²ãŒããŠã§ã€ãæå®ããŸãã ä»ã®éçã«ãŒãã¯ä»®æ³ã«ãŒã¿ãŒ ã»ã¯ã·ã§ã³ã§èšå®ãããŸãããããã«ã€ããŠã¯åŸã§èª¬æããŸãã
ä»ã®ã€ã³ã¿ãŒãã§ã€ã¹ãä»ããããã€ã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããã«ã¯ã管çãããã¡ã€ã«ãäœæããå¿ èŠããããŸã çµå¶é£ã®ãããã£ãŒã« ã»ã¯ã·ã§ã³ ãããã¯ãŒã¯ -> ãããã¯ãŒã¯ãããã¡ã€ã« -> ã€ã³ã¿ãŒãã§ãŒã¹ç®¡ç ãããŠãããé©åãªã€ã³ã¿ãŒãã§ãŒã¹ã«å²ãåœãŠãŸãã
次ã«ãã»ã¯ã·ã§ã³ã§ DNS ãš NTP ãèšå®ããå¿ èŠããããŸãã ããã€ã¹ -> ãµãŒãã¹ æŽæ°ãåä¿¡ããæå»ãæ£ãã衚瀺ããŸã (å³ 3)ã ããã©ã«ãã§ã¯ããã¡ã€ã¢ãŠã©ãŒã«ã«ãã£ãŠçæããããã¹ãŠã®ãã©ãã£ãã¯ã¯ã管çã€ã³ã¿ãŒãã§ã€ã¹ IP ã¢ãã¬ã¹ãéä¿¡å IP ã¢ãã¬ã¹ãšããŠäœ¿çšããŸãã ã»ã¯ã·ã§ã³ã®ç¹å®ã®ãµãŒãã¹ããšã«ç°ãªãã€ã³ã¿ãŒãã§ã€ã¹ãå²ãåœãŠãããšãã§ããŸãã ãµãŒãã¹ã«ãŒãã®èšå®.
å³ 3 â DNSãNTPãããã³ã·ã¹ãã ã«ãŒã ãµãŒãã¹ ãã©ã¡ãŒã¿
2. ã©ã€ã»ã³ã¹ã®ã€ã³ã¹ããŒã«ãã»ããã¢ãããšã¢ããããŒãã®ã€ã³ã¹ããŒã«
ãã¹ãŠã®ãã¡ã€ã¢ãŠã©ãŒã«æ©èœãå®å
šã«åäœãããã«ã¯ãã©ã€ã»ã³ã¹ãã€ã³ã¹ããŒã«ããå¿
èŠããããŸãã è©Šçšçã©ã€ã»ã³ã¹ã¯ãããã¢ã«ããããã¯ãŒã¯ããŒãããŒãããªã¯ãšã¹ãããããšã§äœ¿çšã§ããŸãã æå¹æéã¯30æ¥éã§ãã ã©ã€ã»ã³ã¹ã¯ããã¡ã€ã«ãŸãã¯èªèšŒã³ãŒãã䜿çšããŠã¢ã¯ãã£ãåãããŸãã ã©ã€ã»ã³ã¹ã¯ã»ã¯ã·ã§ã³ã§èšå®ãããŸã ããã€ã¹ -> ã©ã€ã»ã³ã¹ ïŒÑОÑ.4ïŒã
ã©ã€ã»ã³ã¹ãã€ã³ã¹ããŒã«ããåŸãã»ã¯ã·ã§ã³ã§ã¢ããããŒãã®ã€ã³ã¹ããŒã«ãèšå®ããå¿
èŠããããŸãã ããã€ã¹ -> åçæŽæ°.
ã»ã¯ã·ã§ã³å
ã® ããã€ã¹ -> ãœãããŠã§ã¢ æ°ããããŒãžã§ã³ã® PAN-OS ãããŠã³ããŒãããŠã€ã³ã¹ããŒã«ã§ããŸãã
å³ 4 â ã©ã€ã»ã³ã¹ ã³ã³ãããŒã« ããã«
3. ã»ãã¥ãªã㣠ãŸãŒã³ããããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ããã©ãã£ã㯠ããªã·ãŒãã¢ãã¬ã¹å€æã®æ§æ
Palo Alto Networks ãã¡ã€ã¢ãŠã©ãŒã«ã¯ããããã¯ãŒã¯ ã«ãŒã«ãæ§æãããšãã«ãŸãŒã³ ããžãã¯ã䜿çšããŸãã ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ã¯ç¹å®ã®ãŸãŒã³ã«å²ãåœãŠããããã®ãŸãŒã³ã¯ãã©ãã£ã㯠ã«ãŒã«ã§äœ¿çšãããŸãã ãã®ã¢ãããŒãã«ãããå°æ¥ã€ã³ã¿ãŒãã§ã€ã¹èšå®ãå€æŽãããšãã«ããã©ãã£ã㯠ã«ãŒã«ãå€æŽããã®ã§ã¯ãªããå¿ èŠãªã€ã³ã¿ãŒãã§ã€ã¹ãé©åãªãŸãŒã³ã«åå²ãåœãŠããããšãå¯èœã«ãªããŸãã ããã©ã«ãã§ã¯ããŸãŒã³å ã®ãã©ãã£ãã¯ã¯èš±å¯ããããŸãŒã³éã®ãã©ãã£ãã¯ã¯çŠæ¢ãããŸããããã«ã¯äºåå®çŸ©ãããã«ãŒã«ãé©çšãããŸãã ã€ã³ãã©ãŸãŒã³ããã©ã«ã О ãŸãŒã³éããã©ã«ã.
å³ 5 â å®å
šãŸãŒã³
ãã®äŸã§ã¯ãå éšãããã¯ãŒã¯äžã®ã€ã³ã¿ãŒãã§ã€ã¹ããŸãŒã³ã«å²ãåœãŠãããŸãã å éšãã€ã³ã¿ãŒãããã«é¢ããã€ã³ã¿ãŒãã§ã€ã¹ããŸãŒã³ã«å²ãåœãŠãããŸãã å€éšã SSL VPN ã®å Žåããã³ãã« ã€ã³ã¿ãŒãã§ã€ã¹ãäœæããããŸãŒã³ã«å²ãåœãŠãããŠããŸãã VPN ïŒÑОÑ.5ïŒã
ããã¢ã«ããããã¯ãŒã¯ã¹ã®ãã¡ã€ã¢ãŠã©ãŒã« ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ã¯ã次㮠XNUMX ã€ã®ç°ãªãã¢ãŒãã§åäœã§ããŸãã
- â ç£èŠãšåæãç®çãšããŠãã©ãã£ãã¯ãåéããããã«äœ¿çšãããŸã
- HA â ã¯ã©ã¹ã¿ãŒæäœã«äœ¿çšãããŸã
- ããŒãã£ã«ã¯ã€ã€ãŒ â ãã®ã¢ãŒãã§ã¯ãããã¢ã«ããããã¯ãŒã¯ã¯ XNUMX ã€ã®ã€ã³ã¿ãŒãã§ã€ã¹ãçµåããMAC ã¢ãã¬ã¹ãš IP ã¢ãã¬ã¹ãå€æŽããã«ã€ã³ã¿ãŒãã§ã€ã¹éã§ãã©ãã£ãã¯ãééçã«æž¡ããŸãã
- Layer2 â ã¹ã€ããã¢ãŒã
- Layer3 â ã«ãŒã¿ãŒã¢ãŒã
å³ 6 â ã€ã³ã¿ãŒãã§ãŒã¹åäœã¢ãŒãã®èšå®
ãã®äŸã§ã¯ãLayer3 ã¢ãŒãã䜿çšãããŸã (å³ 6)ã ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ ãã©ã¡ãŒã¿ã¯ãIP ã¢ãã¬ã¹ãåäœã¢ãŒããããã³å¯Ÿå¿ããã»ãã¥ãªã㣠ãŸãŒã³ã瀺ããŸãã ã€ã³ã¿ãŒãã§ã€ã¹ã®åäœã¢ãŒãã«å ããŠãã€ã³ã¿ãŒãã§ã€ã¹ã Virtual Router ä»®æ³ã«ãŒã¿ãŒã«å²ãåœãŠãå¿ èŠããããŸããããã¯ããã ã¢ã«ã ãããã¯ãŒã¯ã® VRF ã€ã³ã¹ã¿ã³ã¹ã«çžåœããŸãã ä»®æ³ã«ãŒã¿ãŒã¯çžäºã«åé¢ãããŠãããç¬èªã®ã«ãŒãã£ã³ã° ããŒãã«ãšãããã¯ãŒã¯ ãããã³ã«èšå®ãæã£ãŠããŸãã
ä»®æ³ã«ãŒã¿ãŒèšå®ã§ã¯ãéçã«ãŒããšã«ãŒãã£ã³ã° ãããã³ã«èšå®ãæå®ããŸãã ãã®äŸã§ã¯ãå€éšãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããããã®ããã©ã«ã ã«ãŒãã®ã¿ãäœæãããŠããŸã (å³ 7)ã
å³ 7 â ä»®æ³ã«ãŒã¿ãŒã®ã»ããã¢ãã
次ã®èšå®æ®µéã¯ãã©ãã£ã㯠ããªã·ãŒã§ããã»ã¯ã·ã§ã³ ããªã·ãŒ -> ã»ãã¥ãªãã£ã æ§æã®äŸãå³ 8 ã«ç€ºããŸããã«ãŒã«ã®ããžãã¯ã¯ãã¹ãŠã®ãã¡ã€ã¢ãŠã©ãŒã«ãšåãã§ãã ã«ãŒã«ã¯æåã®äžèŽãŸã§äžããäžã«ãã§ãã¯ãããŸãã ã«ãŒã«ã®ç°¡åãªèª¬æ:
1. SSL VPN ã«ãã Web ããŒã¿ã«ãžã®ã¢ã¯ã»ã¹ã ãªã¢ãŒãæ¥ç¶ãèªèšŒããããã« Web ããŒã¿ã«ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããŸã
2. VPN ãã©ãã£ã㯠â ãªã¢ãŒãæ¥ç¶ãšæ¬ç€Ÿéã®ãã©ãã£ãã¯ãèš±å¯ããŸãã
3. åºæ¬çãªã€ã³ã¿ãŒããã â DNSãpingãtracerouteãntp ã¢ããªã±ãŒã·ã§ã³ãèš±å¯ããŸãã ãã¡ã€ã¢ãŠã©ãŒã«ã§ã¯ãããŒãçªå·ããããã³ã«ã§ã¯ãªãã眲åããã³ãŒãããã¥ãŒãªã¹ãã£ãã¯ã«åºã¥ããŠã¢ããªã±ãŒã·ã§ã³ãèš±å¯ããŸãããããããµãŒãã¹ ã»ã¯ã·ã§ã³ã«ã¢ããªã±ãŒã·ã§ã³ã®ããã©ã«ããšèšèŒãããŠããçç±ã§ãã ãã®ã¢ããªã±ãŒã·ã§ã³ã®ããã©ã«ãã®ããŒã/ãããã³ã«
4. Web ã¢ã¯ã»ã¹ â ã¢ããªã±ãŒã·ã§ã³å¶åŸ¡ãªã㧠HTTP ããã³ HTTPS ãããã³ã«ãä»ããã€ã³ã¿ãŒããã ã¢ã¯ã»ã¹ãèš±å¯ããŸãã
5,6. ä»ã®ãã©ãã£ãã¯ã®ããã©ã«ã ã«ãŒã«ã
å³8 â ãããã¯ãŒã¯ã«ãŒã«ã®èšå®äŸ
NAT ãèšå®ããã«ã¯ãã»ã¯ã·ã§ã³ã䜿çšããŸãã ããªã·ãŒ -> NATã NAT æ§æã®äŸãå³ 9 ã«ç€ºããŸãã
å³ 9 â NAT æ§æã®äŸ
å éšããå€éšãžã®ãã©ãã£ãã¯ã®å Žåãéä¿¡å ã¢ãã¬ã¹ããã¡ã€ã¢ãŠã©ãŒã«ã®å€éš IP ã¢ãã¬ã¹ã«å€æŽãããã€ããã㯠ããŒã ã¢ãã¬ã¹ïŒPATïŒã䜿çšã§ããŸãã
4. LDAPèªèšŒãããã¡ã€ã«ãšãŠãŒã¶ãŒèå¥æ©èœã®èšå®
SSL-VPN çµç±ã§ãŠãŒã¶ãŒãæ¥ç¶ããåã«ãèªèšŒã¡ã«ããºã ãæ§æããå¿
èŠããããŸãã ãã®äŸã§ã¯ãPalo Alto Networks Web ã€ã³ã¿ãŒãã§ã€ã¹ãä»ã㊠Active Directory ãã¡ã€ã³ ã³ã³ãããŒã©ãŒã«å¯ŸããŠèªèšŒãè¡ãããŸãã
å³ 10 â LDAP ãããã¡ã€ã«
èªèšŒãæ©èœããã«ã¯ã以äžãæ§æããå¿ èŠããããŸã LDAPãããã¡ã€ã« О èªèšŒãããã¡ã€ã«ã ã»ã¯ã·ã§ã³å ããã€ã¹ -> ãµãŒããŒãããã¡ã€ã« -> LDAP (å³ 10) ãã¡ã€ã³ ã³ã³ãããŒã©ãŒã® IP ã¢ãã¬ã¹ãšããŒããLDAP ã¿ã€ããã°ã«ãŒãã«å«ãŸãããŠãŒã¶ãŒ ã¢ã«ãŠã³ããæå®ããå¿ èŠããããŸãã ãµãŒããŒãªãã¬ãŒã¿ãŒ, ã€ãã³ããã°ãªãŒããŒ, åæ£COMãŠãŒã¶ãŒã ããããã»ã¯ã·ã§ã³ã§ã¯ ããã€ã¹ -> èªèšŒãããã¡ã€ã« èªèšŒãããã¡ã€ã«ãäœæã (å³ 11)ã以åã«äœæãããããã¡ã€ã«ã«ããŒã¯ãä»ããŸã LDAPãããã¡ã€ã« [詳现] ã¿ãã§ã¯ããªã¢ãŒã ã¢ã¯ã»ã¹ãèš±å¯ãããŠãŒã¶ãŒã®ã°ã«ãŒã (å³ 12) ã瀺ããŸãã ãããã¡ã€ã«å ã®ãã©ã¡ãŒã¿ã«æ³šæããããšãéèŠã§ã ãŠãŒã¶ãŒãã¡ã€ã³ããã§ãªãå Žåãã°ã«ãŒãããŒã¹ã®èªèšŒã¯æ©èœããŸããã ãã®ãã£ãŒã«ãã«ã¯ NetBIOS ãã¡ã€ã³åãæå®ããå¿ èŠããããŸãã
å³ 11 â èªèšŒãããã¡ã€ã«
å³ 12 â AD ã°ã«ãŒãã®éžæ
次ã®ã¹ããŒãžã¯ã»ããã¢ããã§ã ããã€ã¹ -> ãŠãŒã¶ãŒèå¥ã ããã§ã¯ããã¡ã€ã³ ã³ã³ãããŒã©ãŒã® IP ã¢ãã¬ã¹ãæ¥ç¶è³æ Œæ å ±ãæå®ããèšå®ãæ§æããå¿ èŠããããŸãã ã»ãã¥ãªãã£ãã°ãæå¹ã«ãã, ã»ãã·ã§ã³ãæå¹ã«ãã, ãããŒãã³ã°ãæå¹ã«ãã (å³13)ã ç« å ã°ã«ãŒããããã³ã° (å³ 14) LDAP å ã®ãªããžã§ã¯ããèå¥ããããã®ãã©ã¡ãŒã¿ãšãèªå¯ã«äœ¿çšãããã°ã«ãŒãã®ãªã¹ãã«æ³šæããå¿ èŠããããŸãã èªèšŒãããã¡ã€ã«ãšåæ§ã«ãããã§ããŠãŒã¶ãŒ ãã¡ã€ã³ ãã©ã¡ãŒã¿ãŒãèšå®ããå¿ èŠããããŸãã
å³ 13 â ãŠãŒã¶ãŒ ãããã³ã° ãã©ã¡ãŒã¿
å³ 14 â ã°ã«ãŒã ãããã³ã° ãã©ã¡ãŒã¿
ãã®ãã§ãŒãºã®æåŸã®ã¹ãããã¯ãVPN ãŸãŒã³ãšãã®ãŸãŒã³ã®ã€ã³ã¿ãŒãã§ã€ã¹ãäœæããããšã§ãã ã€ã³ã¿ãŒãã§ã€ã¹ã§ãªãã·ã§ã³ãæå¹ã«ããå¿ èŠããããŸã ãŠãŒã¶ãŒèå¥ãæå¹ã«ãã ïŒÑОÑ.15ïŒã
å³ 15 â VPN ãŸãŒã³ã®ã»ããã¢ãã
5. SSL VPN ã®ã»ããã¢ãã
SSL VPN ã«æ¥ç¶ããåã«ããªã¢ãŒã ãŠãŒã¶ãŒã¯ Web ããŒã¿ã«ã«ã¢ã¯ã»ã¹ããèªèšŒã㊠Global Protect ã¯ã©ã€ã¢ã³ããããŠã³ããŒãããå¿ èŠããããŸãã 次ã«ããã®ã¯ã©ã€ã¢ã³ãã¯è³æ Œæ å ±ãèŠæ±ããäŒæ¥ãããã¯ãŒã¯ã«æ¥ç¶ããŸãã Web ããŒã¿ã«ã¯ https ã¢ãŒãã§åäœããããã蚌ææžãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã å¯èœã§ããã°ãå ¬é蚌ææžã䜿çšããŠãã ããã ããããã°ããŠãŒã¶ãŒã¯ãµã€ãäžã§èšŒææžãç¡å¹ã§ããããšã«ã€ããŠã®èŠåãåãåããŸããã å ¬é蚌ææžã䜿çšã§ããªãå Žåã¯ãhttps ã® Web ããŒãžã§äœ¿çšãããç¬èªã®èšŒææžãçºè¡ããå¿ èŠããããŸãã èªå·±çœ²åããããšããããŒã«ã«ã®èªèšŒå±ãéããŠçºè¡ããããšãã§ããŸãã ãŠãŒã¶ãŒã Web ããŒã¿ã«ã«æ¥ç¶ãããšãã«ãšã©ãŒãçºçããªãããã«ããªã¢ãŒã ã³ã³ãã¥ãŒã¿ãŒã«ã¯ä¿¡é Œãããã«ãŒãèªèšŒå±ã®ãªã¹ãã«ã«ãŒã蚌ææžãŸãã¯èªå·±çœ²å蚌ææžãå«ãŸããŠããå¿ èŠããããŸãã ãã®äŸã§ã¯ãActive Directory 蚌ææžãµãŒãã¹ãéããŠçºè¡ããã蚌ææžã䜿çšããŸãã
蚌ææžãçºè¡ããã«ã¯ãã»ã¯ã·ã§ã³ã§èšŒææžãªã¯ãšã¹ããäœæããå¿ èŠããããŸãã ããã€ã¹ -> 蚌ææžç®¡ç -> 蚌ææž -> çæã ãªã¯ãšã¹ãã§ã¯ã蚌ææžã®ååãš Web ããŒã¿ã«ã® IP ã¢ãã¬ã¹ãŸã㯠FQDN ãæå®ããŸã (å³ 16)ã ãªã¯ãšã¹ããçæããããããŠã³ããŒãããŸã .csr ãã¡ã€ã«ãäœæãããã®å 容ã AD CS Web ç»é² Web ãã©ãŒã ã®èšŒææžèŠæ±ãã£ãŒã«ãã«ã³ããŒããŸãã èªèšŒå±ã®æ§æã«å¿ããŠã蚌ææžèŠæ±ãæ¿èªãããçºè¡ããã蚌ææžã次ã®åœ¢åŒã§ããŠã³ããŒããããå¿ èŠããããŸãã Base64 ãšã³ã³ãŒãããã蚌ææžã ããã«ã蚌ææ©é¢ã®ã«ãŒã蚌ææžãããŠã³ããŒãããå¿ èŠããããŸãã 次ã«ãäž¡æ¹ã®èšŒææžããã¡ã€ã¢ãŠã©ãŒã«ã«ã€ã³ããŒãããå¿ èŠããããŸãã Web ããŒã¿ã«ã®èšŒææžãã€ã³ããŒãããå Žåã¯ãä¿çäžã¹ããŒã¿ã¹ã®ãªã¯ãšã¹ããéžæããã€ã³ããŒããã¯ãªãã¯ããå¿ èŠããããŸãã 蚌ææžåã¯ããªã¯ãšã¹ãã®åã®æ¹ã§æå®ããååãšäžèŽããå¿ èŠããããŸãã ã«ãŒã蚌ææžã®ååã¯ä»»æã«æå®ã§ããŸãã 蚌ææžãã€ã³ããŒãããåŸã以äžãäœæããå¿ èŠããããŸã SSL/TLSãµãŒãã¹ãããã¡ã€ã« ã»ã¯ã·ã§ã³ ããã€ã¹ -> 蚌ææžç®¡çã ãããã¡ã€ã«ã§ã¯ã以åã«ã€ã³ããŒãããã蚌ææžã瀺ããŸãã
å³ 16 â 蚌ææžãªã¯ãšã¹ã
次ã®ã¹ãããã¯ãªããžã§ã¯ãã®èšå®ã§ã ã°ããŒãã« ãããã¯ã ã²ãŒããŠã§ã€ О ã°ããŒãã«ãããã¯ãããŒã¿ã« ã»ã¯ã·ã§ã³ ãããã¯ãŒã¯ -> ã°ããŒãã«ãããã¯ãã èšå®ã§ ã°ããŒãã« ãããã¯ã ã²ãŒããŠã§ã€ ãã¡ã€ã¢ãŠã©ãŒã«ã®å€éš IP ã¢ãã¬ã¹ãšã以åã«äœæããã IP ã¢ãã¬ã¹ã瀺ããŸãã SSLãããã¡ã€ã«, èªèšŒãããã¡ã€ã«ããã³ãã«ã€ã³ã¿ãŒãã§ã€ã¹ãšã¯ã©ã€ã¢ã³ãIPèšå®ã ã¯ã©ã€ã¢ã³ãã«ã¢ãã¬ã¹ãå²ãåœãŠããã IP ã¢ãã¬ã¹ã®ããŒã«ãšãã¢ã¯ã»ã¹ ã«ãŒããæå®ããå¿ èŠããããŸãããããã¯ãã¯ã©ã€ã¢ã³ããã«ãŒããæã€ãµããããã§ãã ãã¹ãŠã®ãŠãŒã¶ãŒ ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«çµç±ã§ã©ããããã¿ã¹ã¯ã®å Žåã¯ããµãããã 0.0.0.0/0 ãæå®ããå¿ èŠããããŸã (å³ 17)ã
å³ 17 â IP ã¢ãã¬ã¹ãšã«ãŒãã®ããŒã«ã®æ§æ
次ã«ãèšå®ããå¿ èŠããããŸã ã°ããŒãã«ãããã¯ãããŒã¿ã«ã ãã¡ã€ã¢ãŠã©ãŒã«ã®IPã¢ãã¬ã¹ãæå®ãã SSLãããã¡ã€ã« О èªèšŒãããã¡ã€ã« ããã³ã¯ã©ã€ã¢ã³ããæ¥ç¶ãããã¡ã€ã¢ãŠã©ãŒã«ã®å€éš IP ã¢ãã¬ã¹ã®ãªã¹ãã è€æ°ã®ãã¡ã€ã¢ãŠã©ãŒã«ãããå Žåã¯ãã©ã®ãŠãŒã¶ãŒãæ¥ç¶ãããã¡ã€ã¢ãŠã©ãŒã«ãéžæãããã«å¿ããŠãããããã«åªå é äœãèšå®ã§ããŸãã
ã»ã¯ã·ã§ã³å ã® ããã€ã¹ -> GlobalProtect ã¯ã©ã€ã¢ã³ã ããã¢ã«ããããã¯ãŒã¯ãµãŒããŒãã VPN ã¯ã©ã€ã¢ã³ããã£ã¹ããªãã¥ãŒã·ã§ã³ãããŠã³ããŒãããŠã¢ã¯ãã£ãåããå¿ èŠããããŸãã æ¥ç¶ããã«ã¯ããŠãŒã¶ãŒã¯ããŒã¿ã« Web ããŒãžã«ã¢ã¯ã»ã¹ããå¿ èŠããããããŠã³ããŒãããããã«æ±ããããŸãã GlobalProtect ã¯ã©ã€ã¢ã³ãã ããŠã³ããŒãããŠã€ã³ã¹ããŒã«ããããè³æ Œæ å ±ãå ¥åããSSL VPN çµç±ã§äŒæ¥ãããã¯ãŒã¯ã«æ¥ç¶ã§ããŸãã
ãŸãšã
ããã§ãã»ããã¢ããã®ããã¢ã«ããããã¯ãŒã¯éšåãå®äºããŸããã ãã®æ
å ±ã圹ã«ç«ã¡ãèªè
ãããã¢ã«ããããã¯ãŒã¯ã¹ã§äœ¿çšãããŠãããã¯ãããžãŒãç解ã§ããããšãé¡ã£ãŠããŸãã èšå®ã«é¢ããã質åãä»åŸã®èšäºã®ãããã¯ã«é¢ãããææ¡ãããããŸããããã³ã¡ã³ãæ¬ã«æžããŠããã ããã°åãã§ãçãããããŸãã
åºæïŒ habr.com