4. I-NGFW yamashishini amancinci. VPN

Siqhubeka nothotho lwethu lwamanqaku malunga ne-NGFW yamashishini amancinci, makhe ndikukhumbuze ukuba sihlaziya uluhlu olutsha lwe-1500 yemodeli. IN Iziqendu ezi-1 umjikelo, ndakhankanya enye yezona ndlela ziluncedo xa kuthengwa isixhobo se-SMB - unikezelo lwamasango aneelayisenisi ezakhelwe ngaphakathi zoFikelelo lweMobile (ukusuka kwi-100 ukuya kubasebenzisi be-200, ngokuxhomekeke kwimodeli). Kweli nqaku siza kujonga ukuseta i-VPN yee-1500 series gateways eziza ne-Gaia 80.20 Embedded pre-installed. Nasi isishwankathelo:

1. Izakhono zeVPN ze-SMB.
2. Umbutho woFikelelo olukude kwiofisi encinci.
3. Abaxhasi abakhoyo boqhagamshelwano.

1. Iinketho zeVPN ze-SMB

Ukuze kulungiswe izinto zanamhlanje, igosa isikhokelo solawulo inguqulo R80.20.05 (yangoku ngexesha lokupapashwa kwenqaku). Ngokufanelekileyo, ngokwe-VPN ene-Gaia 80.20 Embekelwe kukho inkxaso:

1. Indawo-Ukuya-kwiNdawo. Ukudala iitonela zeVPN phakathi kweeofisi zakho, apho abasebenzisi banokusebenza ngathi bakwinethiwekhi efanayo "yasekhaya".

   

2. Ukufikelela kude. Uqhagamshelo olukude kwizixhobo zeofisi yakho usebenzisa izixhobo zokuphela komsebenzisi (iiPC, iiselfowuni, njl.njl.). Ukongezelela, kukho i-SSL Network Extender, ikuvumela ukuba ushicilele izicelo ezizimeleyo kwaye uziqhube usebenzisa i-Java Applet, ukudibanisa nge-SSL. Qaphela: ungabhidaniswa neMobile Access Portal (akukho nkxaso yeGaia Embedded).
   
   

Ephakamileyo Ndincoma kakhulu ikhosi yombhali TS Solution - Jonga indawo yoFikelelo olukude kwiVPN ityhila i-Check Point technologies ngokwemigaqo ye-VPN, ichukumisa imiba yelayisenisi kwaye iqulethe imiyalelo ecacileyo yokuseta.

2. UFikelelo olukude kwiofisi encinci

Siza kuqalisa ukuququzelela uqhagamshelo olukude kwiofisi yakho:

1. Ukuze abasebenzisi bakhe i-tunnel ye-VPN ngesango, kufuneka ube nedilesi ye-IP yoluntu. Ukuba sele ugqibile ukuseta kokuqala (Inqaku eli-2 ukusuka kumjikelo), ngoko, njengomthetho, ikhonkco langaphandle sele lisebenza. Ulwazi lunokufumaneka ngokuya kwiGaia Portal: Isixhobo → Uthungelwano → I-intanethi

   
   

   Ukuba inkampani yakho isebenzisa idilesi ye-IP yoluntu eguqukayo, unokuseta iDNS yeDynamic. Yiya e isixhobo → I-DDNS kunye noFikelelo lweSixhobo

   
   

   Okwangoku kukho inkxaso evela kubaboneleli ababini: DynDns kunye no-ip.com. Ukwenza ukhetho lusebenze, kufuneka ufake iziqinisekiso zakho (ukungena, igama lokugqitha).

2. Okulandelayo, masenze iakhawunti yomsebenzisi, kuya kuba luncedo ukuvavanya useto: VPN → UFikelelo oluKude → UFikelelo olukude kubasebenzisi

   
   

   Kwiqela (umzekelo: ukufikelela kude) siya kudala umsebenzisi ngokulandela imiyalelo kwi-screenshot. Ukuseta iakhawunti kusemgangathweni, seta igama lokungena kunye negama lokugqitha, kwaye ukongeza uvule iimvume zokuFikelela kude.

   
   

   Ukuba usebenzise ngempumelelo useto, izinto ezimbini kufuneka zivele: umsebenzisi wasekhaya, iqela lasekhaya labasebenzisi.

   

3. Inyathelo elilandelayo kukuya ku VPN → UFikelelo olukude → Ukulawulwa kweBlade. Qinisekisa ukuba iblade yakho ivuliwe kwaye itrafikhi evela kubasebenzisi abakude ivumelekile.

   

4. *Oku kungasentla ibilelona nyathelo lisezantsi lokuseta i-Remote Access. Kodwa ngaphambi kokuba sivavanye umdibaniso, masijonge useto oluphambili ngokuya kwithebhu I-VPN → Ufikelelo olukude → Ukuqhubela phambili

   
   

   Ngokusekelwe kwizicwangciso zangoku, siyabona ukuba xa abasebenzisi abakude bedibanisa, baya kufumana idilesi ye-IP kwinethiwekhi 172.16.11.0/24, ngenxa yendlela ye-Ofisi yokukhetha. Oku kwanele kunye nogcino ukusebenzisa 200 iimvume zokukhuphisana (eziboniswe 1590 NGFW Check Point).

   Ukhetho "Jonga indlela ye-Intanethi ukusuka kubathengi abaqhagamshelweyo ngeli sango" ayikhethwanga kwaye inoxanduva lokujonga zonke iindlela zokuhamba ukusuka kumsebenzisi okude ngesango (kuquka uqhagamshelo lwe-Intanethi). Oku kukuvumela ukuba uhlole itrafikhi yomsebenzisi kwaye ukhusele indawo yakhe yokusebenza kwiisoyikiso ezahlukeneyo kunye ne-malware.

5. *Ukusebenza ngemigaqo-nkqubo yokufikelela kuFikelelo olukude

   Emva kokuba siqwalasele iRemote Access, umthetho wofikelelo oluzenzekelayo wenziwa kwinqanaba le-Firewall, ukuwujonga kufuneka uye kwithebhu: UMgaqo-nkqubo wofikelelo → Udonga lomlilo → Umgaqo-nkqubo

   
   

   Kule meko, abasebenzisi abakude abangamalungu eqela elenziwe ngaphambili baya kukwazi ukufikelela kuzo zonke izixhobo zangaphakathi zenkampani; qaphela ukuba umthetho ubekwe kwicandelo jikelele. "Indlela engenayo, yangaphakathi kunye ne-VPN". Ukuvumela ukugcwala komsebenzisi weVPN kwi-Intanethi, kuya kufuneka wenze umthetho owahlukileyo kwicandelo eliqhelekileyo "Ufikelelo oluphumayo kwi-Intanethi".

6. Okokugqibela, kufuneka siqinisekise ukuba umsebenzisi angenza ngempumelelo itonela yeVPN kwisango lethu le-NGFW kwaye afumane ukufikelela kwimithombo yangaphakathi yenkampani. Ukwenza oku, kufuneka ufake umxhasi weVPN kwi-host host evavanywayo, uncedo lunikezelwa unxibelelwano Yokulayisha. Emva kofakelo, kuya kufuneka uqhube inkqubo esemgangathweni yokongeza indawo entsha (bonisa idilesi ye-IP yoluntu kwisango lakho). Ukuze kube lula, inkqubo inikezelwa kwifom ye-GIF

   
   
   Xa uxhulumaniso sele lusekiwe, makhe sijonge idilesi ye-IP efunyenweyo kumatshini wokusingathwa sisebenzisa umyalelo kwi-CMD: ipconfig

   
   

   Siye saqinisekisa ukuba i-adaptha yenethiwekhi yenyani ifumene idilesi ye-IP kwiMowudi yeOfisi ye-NGFW yethu, iipakethi zithunyelwe ngempumelelo. Ukugqiba, sinokuya kwiGaia Portal: VPN → Ufikelelo olukude → Abasebenzisi abaDibeneyo abakude

   
   

   Umsebenzisi "ntuser" uboniswa njengeqhagamshelwe, makhe sijonge ukuloga komnyhadala ngokuya Iilogi kunye nokuBeka iliso → IiLogi zoKhuseleko

   
   

   Uqhagamshelo lulogiwe kusetyenziswa idilesi ye-IP njengomthombo: 172.16.10.1 - le yidilesi efunyenwe ngumsebenzisi wethu ngeModi yeOfisi.

   3. Abaxhasi abaxhaswayo kwi-Remote Access

   Emva kokuba sihlolisise inkqubo yokuseta uqhagamshelo olukude kwi-ofisi yakho usebenzisa i-NGFW Khangela Indawo yosapho lwe-SMB, ndingathanda ukubhala malunga nenkxaso yomxhasi wezixhobo ezahlukeneyo:

   • Endpoint VPN yeWindows/Mac OS
   • Umxhasi ohambahambayo (Android / iOS)
   • I-L2TP Native Client (Jonga amabango eNkxaso yenkxaso ye-Microsoft ye-VPN ye-app yemveli).

   Iindidi zeenkqubo zokusebenza ezixhaswayo kunye nezixhobo ziya kukuvumela ukuba usebenzise ngokupheleleyo iphepha-mvume lakho eliza ne-NGFW. Ukuze uqwalasele isixhobo esahlukileyo kukho inketho efanelekileyo "Indlela yokudibanisa"

   

   Ivelisa ngokuzenzekelayo amanyathelo ngokwezicwangciso zakho, eziza kuvumela abalawuli ukuba bafake abathengi abatsha ngaphandle kweengxaki.

   Isiphelo: Ukushwankathela eli nqaku, sijonge kwizakhono ze-VPN ze-NGFW Check Point Point SMB usapho. Emva koko, sichaze amanyathelo okuseta i-Remote Access, kwimeko yoxhulumaniso olukude lwabasebenzisi kwiofisi, emva koko sifunde izixhobo zokubeka iliso. Ekupheleni kwenqaku sathetha malunga nabathengi abakhoyo kunye neenketho zokudibanisa kwi-Remote Access. Ngaloo ndlela, iofisi yakho yesebe iya kuba nako ukuqinisekisa ukuqhubeka kunye nokukhuseleka komsebenzi wabasebenzi usebenzisa iteknoloji ye-VPN, nangona kukho izoyikiso ezahlukeneyo zangaphandle kunye nezinto.

   Ukukhetha okukhulu kwemathiriyeli kwi-Check Point evela kwi-TS Solution. Hla umamele (yocingo, Facebook, VK, TS Solution Blog, Yandex.Zen).

umthombo: www.habr.com