4. I-NGFW yamabhizinisi amancane. I-VPN

Siqhubeka nochungechunge lwethu lwezihloko ezimayelana ne-NGFW zamabhizinisi amancane, ake nginikhumbuze ukuthi sibuyekeza uhla lwamamodeli ochungechunge olusha lwe-1500. IN Izingxenye ezi-1 umjikelezo, ngikhulume enye yezinketho eziwusizo kakhulu lapho uthenga idivayisi ye-SMB - ukunikezwa kwamasango anamalayisense akhelwe ngaphakathi Okufinyelela Kweselula (kusuka kubasebenzisi abayi-100 kuya kwabangu-200, kuye ngemodeli). Kulesi sihloko sizobheka ukusetha i-VPN yamasango angu-1500 ochungechunge oluza ne-Gaia 80.20 Eshumekiwe efakwe ngaphambili. Nasi isifinyezo:

1. Amandla we-VPN we-SMB.
2. Inhlangano yokufinyelela kude kwehhovisi elincane.
3. Amaklayenti atholakalayo ukuze axhumeke.

1. Izinketho ze-VPN ze-SMB

Ukuze kulungiswe indaba yanamuhla, isikhulu admin guide inguqulo R80.20.05 (okwamanje ngesikhathi kushicilelwa indatshana). Ngokuvumelana nalokho, ngokuya nge-VPN ene-Gaia 80.20 Eshumekiwe kukhona usekelo lwe:

1. Isayithi-kuya-Isizinda. Ukudala imigudu ye-VPN phakathi kwamahhovisi akho, lapho abasebenzisi bengasebenza khona njengokungathi bakunethiwekhi efanayo “yasendaweni”.

   

2. Ukufinyelela Okukude. Uxhumano olukude ezinsizeni zehhovisi lakho usebenzisa amadivaysi okugcina abasebenzisi (ama-PC, omakhalekhukhwini, njll.). Ukwengeza, kune-SSL Network Extender, ikuvumela ukuthi ushicilele izinhlelo zokusebenza ngazinye futhi uzisebenzise usebenzisa i-Java Applet, exhuma nge-SSL. Qaphela: akufanele kudidaniswe ne-Mobile Access Portal (akukho usekelo lwe-Gaia Embedded).
   
   

Okuthuthukisiwe Ngincoma kakhulu inkambo yombhali i-TS Solution - Hlola i-VPN yephoyinti lokufinyelela kude iveza ubuchwepheshe be-Check Point mayelana ne-VPN, ithinta izinkinga zamalayisense futhi iqukethe imiyalelo yokusetha enemininingwane.

2. Ukufinyelela Okukude kwehhovisi elincane

Sizoqala ukuhlela ukuxhumana okukude nehhovisi lakho:

1. Ukuze abasebenzisi bakhe umhubhe we-VPN onesango, udinga ukuba nekheli le-IP lomphakathi. Uma usuqedile ukusetha kokuqala (2 isihloko kusukela kumjikelezo), khona-ke, njengomthetho, Isixhumanisi Sangaphandle sesivele sisebenza. Ulwazi lungatholakala ngokuya ku-Gaia Portal: Idivayisi → Inethiwekhi → I-inthanethi

   
   

   Uma inkampani yakho isebenzisa ikheli le-IP lomphakathi eliguqukayo, ungasetha i-DNS eDynamic. Iya ku Idivayisi → I-DDNS Nokufinyelela Kwedivayisi

   
   

   Okwamanje kukhona ukwesekwa okuvela kubahlinzeki ababili: DynDns kanye no-ip.com. Ukuze wenze kusebenze inketho udinga ukufaka imininingwane yakho (ukungena, iphasiwedi).

2. Okulandelayo, masidale i-akhawunti yomsebenzisi, izoba usizo ekuhloleni izilungiselelo: I-VPN → Ukufinyelela Okukude → Abasebenzisi Bokufinyelela Kukude

   
   

   Eqenjini (isibonelo: ukufinyelela kude) sizodala umsebenzisi elandela imiyalo kusithombe-skrini. Ukusetha i-akhawunti kujwayelekile, setha ukungena ngemvume nephasiwedi, futhi ngaphezu kwalokho unike amandla inketho yezimvume zokufinyelela kude.

   
   

   Uma usebenzise izilungiselelo ngempumelelo, kufanele kuvele izinto ezimbili: umsebenzisi wendawo, iqembu lendawo labasebenzisi.

   

3. Isinyathelo esilandelayo ukuya ku I-VPN → Ukufinyelela Kukude → Ukulawula I-Blade. Qiniseka ukuthi i-blade yakho ivuliwe futhi ithrafikhi evela kubasebenzisi berimothi ivunyelwe.

   

4. *Okungenhla bekuyisethi encane yezinyathelo zokusetha Ukufinyelela Kukude. Kodwa ngaphambi kokuthi sihlole ukuxhumeka, ake sihlole izilungiselelo ezithuthukile ngokuya kuthebhu I-VPN → Ukufinyelela Kukude → Okuthuthukile

   
   

   Ngokusekelwe kuzilungiselelo zamanje, siyabona ukuthi uma abasebenzisi bekude bexhuma, bazothola ikheli le-IP kunethiwekhi 172.16.11.0/24, ngenxa yenketho ye-Office Mode. Lokhu kwanele nge-reserve ukusebenzisa amalayisense okuncintisana angama-200 (akhonjiswe ku-1590 NGFW Check Point).

   Inketho "Lawula ithrafikhi ye-inthanethi kusuka kumakhasimende axhunyiwe ngale ndlela" uyazikhethela futhi unesibopho sokuhambisa yonke ithrafikhi esuka kumsebenzisi oqhelile ngesango (okuhlanganisa noxhumano Lwe-inthanethi). Lokhu kukuvumela ukuthi uhlole ithrafikhi yomsebenzisi futhi uvikele indawo yakhe yokusebenza ezinsongweni ezahlukahlukene nohlelo olungayilungele ikhompuyutha.

5. *Ukusebenza ngezinqubomgomo zokufinyelela zokufinyelela kude

   Ngemuva kokuthi silungise Ukufinyelela Kukude, umthetho wokufinyelela ozenzakalelayo wadalwa ezingeni le-Firewall, ukuze uwubuke udinga ukuya kuthebhu: Inqubomgomo Yokufinyelela → I-Firewall → Inqubomgomo

   
   

   Kulokhu, abasebenzisi abakude abangamalungu eqembu elakhiwe ngaphambilini bazokwazi ukufinyelela zonke izinsiza zangaphakathi zenkampani; qaphela ukuthi umthetho utholakala esigabeni esijwayelekile. "Ithrafikhi engenayo, yangaphakathi ne-VPN". Ukuze uvumele ithrafikhi yomsebenzisi we-VPN ku-inthanethi, uzodinga ukwakha umthetho ohlukile esigabeni esijwayelekile “Ukufinyelela okuphumayo ku-inthanethi".

6. Okokugcina, sidinga nje ukwenza isiqiniseko sokuthi umsebenzisi angakwazi ukudala ngempumelelo umhubhe we-VPN esangweni lethu le-NGFW futhi athole ukufinyelela ezinsizeni zangaphakathi zenkampani. Ukuze wenze lokhu, udinga ukufaka iklayenti le-VPN kumsingathi ohlolwayo, usizo lunikezwa isixhumanisi Okokulayisha. Ngemva kokufaka, uzodinga ukwenza inqubo evamile yokwengeza isayithi elisha (bonisa ikheli le-IP lomphakathi lesango lakho). Ukuze kube lula, inqubo yethulwa ngefomu le-GIF

   
   
   Uma uxhumano seluvele lusungulwe, ake sihlole ikheli le-IP elitholiwe emshinini wokusingathwa sisebenzisa umyalo ku-CMD: ipconfig

   
   

   Senze isiqiniseko sokuthi i-adaptha yenethiwekhi ebonakalayo ithole ikheli lasesizindeni se-inthanethi kusuka kumodi yeHhovisi ye-NGFW yethu, amaphakethe athunyelwe ngempumelelo. Ukuze uqedele, singaya ku-Gaia Portal: I-VPN → Ukufinyelela Kukude → Abasebenzisi Abakude Abaxhumekile

   
   

   Umsebenzisi "ntuser" uboniswa njengoxhumekile, ake sihlole ukuloga komcimbi ngokuya ku Amalogi Nokuqapha → Amalogi Okuvikela

   
   

   Uxhumano lufakwe kusetshenziswa ikheli le-IP njengomthombo: 172.16.10.1 - leli ikheli elitholwe umsebenzisi wethu ngeModi Yehhovisi.

   3. Amaklayenti asekelwe okufinyelela kude

   Ngemva kokuba sesibuyekeze inqubo yokusetha uxhumano oluqhelile ehhovisi lakho sisebenzisa Indawo Yokuhlola ye-NGFW yomndeni we-SMB, ngingathanda ukubhala mayelana nokwesekwa kwamakhasimende kumadivaysi ahlukahlukene:

   • I-Endpoint VPN yeWindows/Mac OS
   • Iklayenti Leselula (Android / iOS)
   • IKlayenti Lomdabu le-L2TP (Ukusekelwa kwezicelo ze-Check Point zohlelo lokusebenza lwe-VPN lwendabuko lwe-Microsoft).

   Izinhlobonhlobo zezinhlelo zokusebenza ezisekelwayo namadivayisi kuzokuvumela ukuthi usebenzise ngokugcwele ilayisense yakho eza ne-NGFW. Ukuze ulungiselele idivayisi ehlukile kunenketho elula "Uxhuma kanjani"

   

   Ikhiqiza ngokuzenzakalelayo izinyathelo ngokuya ngezilungiselelo zakho, okuzovumela abaphathi ukuthi bafake amaklayenti amasha ngaphandle kwezinkinga.

   Isiphetho: Ukufingqa lesi sihloko, sibheke amakhono we-VPN omndeni we-NGFW Check Point SMB. Okulandelayo, sichaze izinyathelo zokusetha i-Remote Access, esimweni sokuxhuma kude kwabasebenzisi ehhovisi, bese sifunda amathuluzi okuqapha. Ekupheleni kwe-athikili sikhulume ngamaklayenti atholakalayo kanye nezinketho zokuxhuma ze-Remote Access. Ngakho, ihhovisi lakho legatsha lizokwazi ukuqinisekisa ukuqhubeka nokuvikeleka komsebenzi wezisebenzi usebenzisa ubuchwepheshe be-VPN, naphezu kwezinsongo ezihlukahlukene zangaphandle nezici.

   Ukukhethwa okukhulu kwezinto zokwakha ku-Check Point kusuka ku-TS Solution. Hlala ubukele (yocingo, Facebook, VK, I-TS Solution Blog, I-Yandex.Zen).

Source: www.habr.com