Molweni nonke! Eli nqaku liza kuphonononga ukusebenza kweVPN kwimveliso yeSophos XG Firewall. Ngaphambili
Okokuqala, makhe sijonge itafile yelayisensi:
Unokufunda ngakumbi malunga nendlela iSophos XG Firewall enikwe ngayo ilayisenisi apha:
Kodwa kweli nqaku siya kuba nomdla kuphela kwezo zinto zigxininiswe ebomvu.
Umsebenzi oyintloko weVPN ufakiwe kwilayisensi eyisiseko kwaye ithengwa kanye kuphela. Le yilayisensi yobomi bonke kwaye ayifuni ukuhlaziywa. Imodyuli yoKhetho lweSiseko seVPN ibandakanya:
Indawo-kuya-kwiNdawo:
- I-SSL yeVPN
- IPSec VPN
Ukufikelela kude (iVPN yomxhasi):
- I-SSL yeVPN
- IPsec Clientless VPN (eneapp yasimahla yesiko)
- L2TP
- PPTP
Njengoko ubona, zonke iiprotocol ezidumileyo kunye neentlobo zoqhagamshelo lweVPN ziyaxhaswa.
Kwakhona, i-Sophos XG Firewall ineentlobo ezimbini ezingakumbi zoqhagamshelwano lwe-VPN olungabandakanywa kubhaliso olusisiseko. Ezi zi-RED VPN kunye ne-HTML5 VPN. Olu xhulumaniso lwe-VPN lufakwe kwi-Network Protection subscription, oku kuthetha ukuba ukuze usebenzise ezi ntlobo kufuneka ube nokubhaliselwa okusebenzayo, okubandakanya nokusebenza kokukhusela inethiwekhi - iimodyuli ze-IPS kunye ne-ATP.
I-RED VPN ngumnini weL2 VPN evela eSophos. Olu hlobo loxhulumaniso lwe-VPN luneenzuzo ezininzi kwi-Site-to-site SSL okanye i-IPSec xa useka i-VPN phakathi kwee-XG ezimbini. Ngokungafani ne-IPSec, i-RED tunnel idala i-interface ebonakalayo kuzo zombini iziphelo zetonela, enceda kwiingxaki zokusombulula ingxaki, kwaye ngokungafaniyo ne-SSL, le interface ebonakalayo inokwenziwa ngokwezifiso ngokupheleleyo. Umlawuli unolawulo olupheleleyo kwi-subnet ngaphakathi kwe-RED tunnel, eyenza kube lula ukusombulula iingxaki zomzila kunye neengxabano ze-subnet.
HTML5 VPN okanye Clientless VPN - Uhlobo oluthile lwe-VPN ekuvumela ukuba uthumele iinkonzo nge-HTML5 ngokuthe ngqo kwisikhangeli. Iindidi zeenkonzo ezinokuthi ziqwalaselwe:
- I-RDP
- Telnet
- SSH
- VNC
- FTP
- FTPS
- SFTP
- SMB
Kodwa kuyafaneleka ukuqwalasela ukuba olu hlobo lwe-VPN lusetyenziswa kuphela kwiimeko ezikhethekileyo kwaye kuyacetyiswa, ukuba kunokwenzeka, ukusebenzisa iintlobo zeVPN kwizintlu ezingentla.
Zenza
Makhe sijonge okubonakalayo kwindlela yokuqwalasela ezininzi zezi ntlobo zetonela, ezizezi: Isayithi-ukuya-kwiNdawo IPSec kunye ne-SSL VPN Ufikelelo olukude.
Site-to-Site IPSec VPN
Masiqale ngendlela yokuseta itonela ye-Site-to-Site IPSec VPN phakathi kwee-Firewalls ezimbini ze-Sophos XG. Ngaphantsi kwe-hood isebenzisa iSwan eqinile, ekuvumela ukuba udibanise kuyo nayiphi na i-router enikwe amandla yi-IPSec.
Ungasebenzisa iwizadi eluncedo kwaye ekhawulezayo yokuseta, kodwa siya kulandela umendo ngokubanzi ukuze, ngokusekwe kule miyalelo, unokudibanisa iSophos XG kunye nasiphi na isixhobo usebenzisa i-IPSec.
Masivule ifestile yezicwangciso zenkqubo:
Njengoko sibona, kukho iisetingi esele zisetwe, kodwa siya kudala ezethu.
Masiqwalasele iiparamitha zofihlo kwisigaba sokuqala nesesibini kwaye sigcine umgaqo-nkqubo. Ngomzekeliso, senza amanyathelo afanayo kwi-Sophos XG yesibini kwaye siqhubele phambili ekusetesheni itonela ye-IPSec ngokwayo.
Ngenisa igama, imo yokusebenza kwaye uqwalasele iiparamitha zofihlo. Umzekelo, siya kusebenzisa i-Preshared Key
kwaye ubonise ii-subnets zasekhaya kunye nezikude.
Uqhagamshelwano lwethu lwenziwe
Ngomzekeliso, senza izicwangciso ezifanayo kwi-Sophos XG yesibini, ngaphandle kwendlela yokusebenza, apho siya kucwangcisa Qalisa uxhulumaniso.
Ngoku sineetonela ezimbini ezimiselweyo. Okulandelayo, kufuneka sizivule kwaye siziqhube. Oku kwenziwa ngokulula kakhulu, kufuneka ucofe kwisangqa esibomvu phantsi kwegama Iyasebenza ukuze usebenze nakwisangqa esibomvu phantsi koQhagamshelwano ukuqalisa uxhulumaniso.
Ukuba sibona lo mfanekiso:
Oku kuthetha ukuba itonela yethu isebenza ngokuchanekileyo. Ukuba isalathisi sesibini sibomvu okanye siphuzi, ngoko into ethile ayilungiswanga ngendlela engafanelekanga kwimigaqo-nkqubo yokufihla okanye i-subnets yendawo kunye nekude. Makhe ndikukhumbuze ukuba useto kufuneka lubonakaliswe.
Ngokwahlukileyo, ndingathanda ukuqaqambisa ukuba ungadala amaqela eFailover ukusuka kwiitonela ze-IPSec zokunyamezela iimpazamo:
Ukufikelela kude kwi-SSL VPN
Masiqhubele phambili kwi-Remote Access SSL VPN yabasebenzisi. Ngaphantsi kwe-hood kukho i-OpenVPN eqhelekileyo. Oku kuvumela abasebenzisi ukuba badibanise ngokusebenzisa nawuphi na umxhasi oxhasa iifayile zoqwalaselo .ovpn (umzekelo, umxhasi woqhagamshelwano oluqhelekileyo).
Okokuqala, kufuneka uqwalasele imigaqo-nkqubo yeseva ye-OpenVPN:
Cacisa uthutho loqhagamshelwano, qwalasela i-port, uluhlu lweedilesi ze-IP zokudibanisa abasebenzisi abakude
Ungakhankanya kwakhona useto loguqulelo oluntsonkothileyo.
Emva kokuseta iseva, siqhubeka nokuseta unxibelelwano lwabaxhasi.
Umgaqo ngamnye woqhagamshelwano lwe-SSL VPN wenzelwe iqela okanye umsebenzisi ngamnye. Umsebenzisi ngamnye unokuba nomgaqo-nkqubo woqhagamshelwano omnye kuphela. Ngokwezicwangciso, into enomdla kukuba kumgaqo ngamnye onjalo unokuchaza abasebenzisi ngabanye abaza kusebenzisa olu cwangciso okanye iqela elivela kwi-AD, unokwenza ibhokisi yokukhangela ukuze yonke i-traffic isongwe kwitonela ye-VPN okanye ucacise iidilesi ze-IP, ii-subnets okanye amagama e-FQDN afumanekayo kubasebenzisi. Ngokusekwe kule migaqo-nkqubo, iprofayile ye.ovpn enemimiselo yomthengi iyakwenziwa ngokuzenzekelayo.
Ukusebenzisa i-portal yomsebenzisi, umsebenzisi unokukhuphela zombini ifayile ye-ovpn kunye nezicwangciso zomthengi we-VPN, kunye nefayile yokufakela umxhasi we-VPN kunye nefayile yesethingi eyakhelwe-ngaphakathi.
isiphelo
Kweli nqaku, siye ngokufutshane malunga nokusebenza kweVPN kwimveliso yeSophos XG Firewall. Sijonge indlela onokuthi uqwalasele ngayo i-IPSec VPN kunye ne-SSL VPN. Olu ayiloluhlu olupheleleyo lwento esi sisombululo sinokuyenza. Kumanqaku alandelayo ndiya kuzama ukuphonononga iRED VPN kwaye ndibonise ukuba ibonakala njani kwisisombululo ngokwayo.
Enkosi ngexesha lakho.
Ukuba unayo nayiphi na imibuzo malunga noshicilelo lwentengiso lwe-XG Firewall, ungaqhagamshelana nathi, inkampani
umthombo: www.habr.com