Mhoroi mose! Ichi chinyorwa chichaongorora kushanda kweVPN muSophos XG Firewall chigadzirwa. Mune yapfuura Takatarisa nzira yekuwana iyi imba yekudzivirira network yemahara ine rezinesi rakazara. Nhasi tichataura nezve VPN mashandiro ayo akavakirwa muSophos XG. Ini ndichaedza kukuudza izvo chigadzirwa ichi chinogona kuita, uye zvakare kupa mienzaniso yekumisikidza IPSec Site-to-Site VPN uye tsika SSL VPN. Saka ngatitangei nekuongorora.
Chekutanga, ngatitarisei tafura yerezinesi:
Unogona kuverenga zvakawanda nezve kuti Sophos XG Firewall inopihwa rezinesi pano:
Asi munyaya ino tichava nehanya chete nezvinhu izvo zvakasimbiswa mutsvuku.
Iyo huru VPN mashandiro anosanganisirwa mune yekutanga rezinesi uye inotengwa kamwe chete. Iri irezinesi rehupenyu hwese uye haridi kuvandudzwa. Iyo Base VPN Sarudzo module inosanganisira:
Nzvimbo-ku-Saiti:
- SSL VPN
- IPSec VPN
Remote Access (mutengi VPN):
- SSL VPN
- IPsec Clientless VPN (ine yemahara tsika app)
- L2TP
- PPTP
Sezvauri kuona, ese anozivikanwa maprotocol uye marudzi eVPN ekubatanidza anotsigirwa.
Zvakare, Sophos XG Firewall ine mamwe maviri marudzi eVPN ekubatanidza asina kubatanidzwa mukunyoreswa kwekutanga. Aya ndiwo RED VPN uye HTML5 VPN. Aya maVPN anosanganisirwa anosanganisirwa mune Network Kudzivirirwa kunyoreswa, izvo zvinoreva kuti kuti ushandise mhando idzi unofanirwa kuve nekunyorera kunoshanda, iyo inosanganisirawo network kuchengetedza kushanda - IPS uye ATP modules.
RED VPN ndeyemuridzi L2 VPN kubva kuSophos. Iyi mhando yeVPN yekubatanidza ine akati wandei mabhenefiti pamusoro peSiti-kune-saiti SSL kana IPSec pakumisikidza VPN pakati pemaXG maviri. Kusiyana neIPSec, iyo RED mugero inogadzira inotaridzika kumagumo ese emugero, iyo inobatsira nematambudziko ekugadzirisa matambudziko, uye kusiyana neSSL, iyi chaiyo interface inogoneka zvachose. Mutungamiri ane hutongi hwakazara pamusoro pe subnet mukati meRED tunnel, izvo zvinoita kuti zvive nyore kugadzirisa matambudziko ekufambisa uye kusawirirana kwe subnet.
HTML5 VPN kana Clientless VPN -Iyo chaiyo mhando yeVPN iyo inokutendera iwe kuendesa masevhisi kuburikidza neHTML5 zvakananga mubrowser. Mhando dzemasevhisi anogona kugadzirwa:
- RDP
- Telnet
- SSH
- VNC
- ftp
- FTPS
- SFTP
- SMB
Asi zvakakosha kufunga kuti rudzi urwu rweVPN runoshandiswa chete muzviitiko zvakakosha uye zvinokurudzirwa, kana zvichibvira, kushandisa marudzi eVPN kubva pamazita ari pamusoro.
Dzidzira
Ngatitarisei maitiro ekugadzirisa akati wandei emhando idzi dzematanho, anoti: Site-to-Site IPSec uye SSL VPN Remote Access.
Nzvimbo-kune-Site IPSec VPN
Ngatitangei nemagadzirirwo ekugadzira Site-to-Site IPSec VPN mugero pakati peSophos XG Firewalls maviri. Pasi pehodhi inoshandisa yakasimbaSwan, iyo inokutendera kuti ubatanidze kune chero IPSec-inogonesa router.
Iwe unogona kushandisa yakaringana uye nekukurumidza setup wizard, asi isu tichatevera iyo yakajairwa nzira kuitira kuti, zvichibva pamirairo iyi, unogona kusanganisa Sophos XG nechero mudziyo uchishandisa IPSec.
Ngativhure hwindo rezvirongwa zvepolicy:
Sezvatinoona, pane zvagara zvakagadzirirwa, asi isu tichagadzira zvedu.
Ngatigadzirise iyo encryption paramita yekutanga neyechipiri nhanho uye chengetedza iyo mutemo. Nekufananidza, tinoita nhanho dzakafanana pane yechipiri Sophos XG uye toenderera mberi nekumisikidza iyo IPSec mugero pachayo.
Isa zita, maitiro ekushanda uye gadzirisa iyo encryption parameters. Semuenzaniso, isu tichashandisa Preshared Key
uye ratidza ma subnets emunharaunda uye ari kure.
Kubatana kwedu kwakagadzirwa
Nekufananidza, tinoita marongero akafanana pane yechipiri Sophos XG, kunze kweiyo nzira yekushandisa, ipapo isu tichaisa Tanga kubatana.
Iye zvino tine tunnels mbiri dzakagadzirirwa. Tevere, isu tinofanirwa kuamisa uye nekuamhanyisa. Izvi zvinoitwa zviri nyore kwazvo, unofanirwa kudzvanya padenderedzwa dzvuku pasi peshoko rokuti Active kuti uvhure uye padenderedzwa dzvuku pasi peConnection kuti utange kubatana.
Kana tikaona mufananidzo uyu:
Izvi zvinoreva kuti mugero wedu uri kushanda nemazvo. Kana chiratidzo chechipiri chiri tsvuku kana yero, saka chimwe chinhu chisina kurongeka mu encryption policy kana emunharaunda uye kure subnets. Rega ndikuyeuchidze kuti zvigadziriso zvinofanirwa kuratidzwa.
Neparutivi, ini ndinoda kuratidza kuti iwe unogona kugadzira Failover mapoka kubva kuIPSec tunnels yekushivirira kukanganisa:
Remote Access SSL VPN
Ngatienderei kuRemote Access SSL VPN yevashandisi. Pasi pehodhi pane yakajairwa OpenVPN. Izvi zvinobvumira vashandisi kuti vabatanidze kuburikidza nechero mutengi anotsigira .ovpn configuration mafaira (somuenzaniso, a standard connection client).
Kutanga, iwe unofanirwa kugadzirisa iyo OpenVPN server marongero:
Rondedzera kutakurwa kwekubatanidza, gadzirisa chiteshi, huwandu hwekero dzeIP dzekubatanidza vashandisi vari kure
Iwe unogona zvakare kutsanangura encryption marongero.
Mushure mekugadzirisa sevha, tinoenderera mberi nekugadzirisa hukama hwevatengi.
Imwe neimwe SSL VPN yekubatanidza mutemo inogadzirirwa boka kana yemushandisi wega. Mushandisi wega wega anogona kuve nemutemo mumwe chete wekubatanidza. Zvinoenderana nezvirongwa, chinonakidza ndechekuti kune yega yega mutemo wakadaro unogona kudoma vashandisi vega vanozoshandisa iyi marongero kana boka kubva kuAD, unogona kugonesa bhokisi rekutarisa kuti traffic yese yakaputirwa mugero reVPN kana kutsanangura IP kero, subnets kana FQDN mazita anowanikwa kune vashandisi. Zvichienderana nemitemo iyi, .ovpn profile ine marongero emutengi inogadzirwa yega.
Achishandisa portal yemushandisi, mushandisi anogona kudhawunirodha ese ari maviri .ovpn faira ine zvigadziriso zveVPN mutengi, uye VPN mutengi yekuisa faira ine yakavakirwa-mukati yekubatanidza faira.
mhedziso
Muchikamu chino, takaenda muchidimbu pamusoro pekushanda kweVPN muSophos XG Firewall chigadzirwa. Takatarisa kuti ungagadzirisa sei IPSec VPN uye SSL VPN. Iyi haisi rondedzero izere yezvingaitwe nemhinduro iyi. Muzvinyorwa zvinotevera ini ndichaedza kuongorora RED VPN uye kuratidza kuti inotaridzika sei mumhinduro pachayo.
Ndinokutendai nenguva yenyu.
Kana iwe uine chero mibvunzo nezve vhezheni yekutengesa yeXG Firewall, unogona kutibata isu, iyo kambani , Sophos muparidzi. Zvese zvaunofanirwa kuita kunyora nemahara fomu pa .
Source: www.habr.com