FFT - Fortinet Teleworker Solution Engineered For Remote and Secure Productivity Exported Lab Guide

Index: 1.
0
UseCase: Fortinet Engineered for Remote and Secure Productivity
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Fortinet Teleworker Solution
Organizations face a number of different potential emergency situations, such as illness, flood,
hurricanes, and power outages. Implementing a business continuity plan is essential to ensuring
that the organization is capable of maintaining operations in the face of adversity and preparing
for potential disasters.
An important consideration for organizations developing a business continuity plan is that the
organization may not be capable of sustaining normal operations onsite. The ability to support
employees working remotely is essential to ensuring both business continuity and security.
Fortinet solutions offer an integrated solution to support telework. FortiGate next-generation
firewalls (NGFWs) have built-in support for IPsec virtual private networks (VPNs), enabling
remote workers to connect securely to the company network. With endpoint protection,
provided by FortiClient, and multi-factor authentication (MFA) with FortiAuthenticator,
organizations can securely support remote work and maintain business continuity.
Index: 1.0 (a)
Objective Title: Topology
Points: 0
Objective Text:
Fortinet Teleworker Solution

Index: 1.0 (b)
Objective Title: Agenda
Points: 0
Objective Text:
Agenda
In the following lab exercises you will understand how to easy it is to provide remote
teleworkers with secure access to internal corporate resources by completing the following
objectives:
· Configure two-factor authentication necessary for secure access

· Create an inbound VPN policy on FortiGate that allows teleworkers to tunnel back to
corporate headquarters
· Configure Fortinet Endpoint Management Server (EMS) to protect remote users as
effectively as if they were located at the corporate office
· Demonstrate successful operation of these critical functions
Topic Time
Lab 1: Introduction, Topology and Agenda 5 Minutes
Lab 2: Configure Remote User Authentication 10 Minutes
Lab 3: Configure Gateway IPsec VPN 5 Minutes
Lab 4: Configure Client Two-Factor Authentication 5 Minutes
Lab 5: Configure Remote User Protection 10 Minutes
Lab 6: Demonstrate Remote User Secure Productivity 20 Minutes
Lab 7: Conclusion 5 Minutes
Index: 2.0
UseCase: Configure Remote User Authentication
Points: 0
Objective Text:
Introduction
Remote teleworkers require secure access to internal resources at corporate offices to remain
productive when off-site. The first step in any remote worker scenario is ensure that users can
be properly authenticated regardless of location.
Time to Complete: 10 minutes
Index: 2.0 (a)
Objective Title: Import FortiToken Mobile Tokens
Points: 10
Objective Text:
Background
FortiAuthenticator provides services which are key in creating effective security policy,
strengthening security by ensuring only the right person at the right time can access your
sensitive networks and data. The following settings have been pre-configured on
FortiAuthenticator:
1. Remote LDAP server to import Active Directory user/user groups and provide Windows
AD domain authentication using Kerberos.
2. FortiGate-Edge as a RADIUS client so that FortiAuthenticator can accept RADIUS
authentication requests from a FortiGate unit.
Tasks
Create New FortiToken Mobile Tokens
2. From the Jumpbox Server, login to FortiAuthenticator at https://192.168.0.129 or use

the browser bookmark.
Username: admin Password: Fortinet1!
2. Click Authentication > User Management > FortiTokens.
Note: If there are any existing FortiTokens, select and delete all of them.
3. Click Create New.
4. Select Token Type: FortiToken Mobile.
5. Turn on Get FortiToken Mobile free trial tokens.

6. Click OK.
Note: Two FortiToken Mobile tokens that come free with FortiAuthenticator should be
imported.
Assign FortiToken to user account
3. Click Authentication > User Management > Remote Users.
4. Click checkbox beside user bob.
Note: User bob is an Active Directory user account that has been pre-imported into
FortiAuthenticator via LDAP integration with AD through Authentication > User
Management > Remote Users.
3. Click Edit.
4. Turn on Token-based authentication and choose the following:
· Deliver token code by: FortiToken
· FortiToken Mobile: FTKMOBxxxxx
Note: Token serial number will differ from the one shown in the screenshot
below
· Activation delivery method: Email
5. Expand User Information and make sure the following email address has been
configured:
· Email address: bob@acmecorp.net
6. Click OK.
Stop and Think
Question: Which of the following are valid methods of administering FortiToken? (Choose all
that apply)
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 3
Hint Text:
Hint
In this exercise you just administered FortiToken through FortiAuthenticator
FortiAuthenticator provides centralized authentication services including SSO services,

certificate management, and guest management
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 3
Hint Text:
Hint
FortiToken Cloud provides everything needed for two-factor in a FortiGate environment
Key Features include:
· Manage two-factor deployments from provisioning to revocation
· Includes two factor tokens through FortiToken Mobile app which simplifies user input to
“click to accept”
· No additional onsite hardware, software, or ACL changes
· Easy expand and grow as needed.
----------------------- Hint 3 Section -----------------------
Hint: 3 Points: 3
Hint Text:
Hint
FortiTokens can even be managed directly on the FortiGate Devices themselves.
So, all answers are correct (a, b, c)
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Answer
Answers a, b and c are all correct.
FortiToken is The Source of Identity for the Security Fabric.
This Solution Offers:
· Centralized Authentication
· Multifactor Authentication
· Cloud based Token IDaaS Service
· Single Sign-on
· Guest Management
· Device Onboarding
Answer Key:
7
Index: 2.0 (b)
Objective Title: Enable Two-Factor Authentication for Remote User
Points: 10
Objective Text:
Background
You will set up FortiAuthenticator to function as a RADIUS server to allow IPsec VPN users to
authenticate with a FortiToken.
Tasks
Configure Radius Server on FortiGate
6. Login to FortiGate-Edge at https://192.168.0.101 via the browser bookmark.
2. Click User & Device > RADIUS Servers > Create New and use the following information:
· Name: FAC_Server
· Primary Server IP/Name: 172.16.100.129
· Secret: Fortinet1!
3. Click Test Connectivity to make sure it returns Connection Successful.

4. Click OK.
Configure Remote User Group
7. Click User & Device > User Groups > Create New and use the following information:
· Name: IPsec_VPN_Users
· Type: Firewall
2. Under Remote Groups, click Add.

· Remote Server: FAC_Server
· Groups: Any (Leave it set to default)
3. Click OK.
4. Click OK.
Stop and Think
Question: To confirm a user’s identity after authentication, which of the following is checked
first? (Choose one)
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
In most cases, the FortiGate unit authenticates users by requesting their username and
password. The FortiGate unit checks local user accounts first. If a match is not found, the
FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group.
Authentication succeeds when a matching username and password are found. If the user
belongs to multiple groups on a server, those groups will be matched as well.
Answer Key:
8
Index: 3.0
UseCase: Configure IPsec VPN
Points: 0
Objective Text:
Introduction
Virtual Private Network (VPN) technology lets remote users connect to private computer
networks to gain access to their resources in a secure way. For example, an employee traveling
or working at home can use a VPN to securely access the office network through the Internet.
Instead of remotely logging into a private network using an unencrypted and unsecured
Internet connection, using a VPN ensures that unauthorized parties cannot access the office
network and cannot intercept information going between the employee and the office. Another
common use of a VPN is to connect the private networks of multiple offices.
Fortinet offers VPN capabilities in the FortiGate Unified Threat Management (UTM) appliance
and in the FortiClient Endpoint Security suite of applications. You can install a FortiGate unit on
a private network and install FortiClient software on the user’s computer. You can also use a
FortiGate unit to connect to the private network instead of using FortiClient software.
For the purposes of this lab we will be focusing on FortiClient IPsec Tunnels

Index: 3.0 (a)
UseCase: Configure IPsec VPN
Objective Title: FortiGate VPN Tunnel
Points: 10
Objective Text:
Tasks
8. Login to FortiGate-Edge.
9. Click VPN > IPsec Wizard.
10. Use the following information:
· Name: Teleworkers
· Template Type: Remote Access

· Remote Device Type: Client-based/FortiClient
3. Click Next.
4. Use the following Authentication settings:
· Incoming Interface: WAN (port3)
· Authentication Method: Pre-shared key
· Pre-shared key: Fortinet1!
· User group: IPsec_VPN_Users

Note: IPsec_VPN_Users is the AD user group configured earlier.
5. Click Next.
6. Use the following Policy & Routing settings:
· Local Interface: DC Network (port2)
· Local Address: DC_Network
· Client Address Range: 10.10.10.1-10.10.10.10
· Leave Subnet Mask, DNS Server, Enable IPv4 Split Tunnel and Allow Endpoint
Registration settings set to default.
Note: By default, IPv4 Split Tunnel is enabled. In this configuration, remote users
are able to securely access the HQ internal network through the HQ firewall, yet
browse the Internet without going through the head office.
7. Click Next.
8. Use the following Client Options settings:
· Save Password: Turn on
· Auto Connect: Turn on
Note: When FortiClient is launched, the VPN connection will automatically
connect.
· Always Up (Keep Alive): Turn on
Note: When selected, the VPN connection is always up, even when no data is
being processed. If the connection fails, keep alive packets sent to the FortiGate
will sense when the VPN connection is available and re-connect VPN.
9. Click Create.
Note: After you create the tunnel, a summary page appears listing the objects which
have been added to the FortiGate's configuration by the wizard.
Stop and Think
Question: (True or False) By enabling Split Tunnel you can avoid overloading system resources
on the HQ firewall and send the remote client’s Internet traffic (For example, YouTube, Netflix
etc.) through their local ISP router?
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
1
Index: 4.0
UseCase: Configure Client Two-Factor Authentication
Points: 0
Objective Text:
Introduction
Passwords alone don't keep unwanted guests out of your network. Password-only
authentication has led to security breaches, malware infections, and policy violations. With two-
factor authentication, a password is used along with a security token and authentication server
to provide far better security. Authorized employees can access company resources safely using
a variety of devices, ranging from laptops to mobile phones.

Index: 4.0 (a)
UseCase: Configure Client Two-Factor Authentication
Objective Title: Register FortiToken Mobile
Points: 0
Objective Text:
Background
FortiToken confirms the identity of users by adding a second factor to the authentication
process through physical or mobile application based tokens.
Tasks
1. Login to Windows 10 (Remote).
2. Open Mozilla Thunderbird.
3. Check bob’s inbox and open the email with subject line FortiToken Mobile activation.
4. Select and right-click to copy the activation code without quotation marks provided in
the email.
Note: Your activation code will differ from the one provided in the image below.
5. Close Mozilla Thunderbird.

11. Go to Android Tablet (Remote) via CloudShare tab.
Note: In case the Android VM tablet screen is in sleep mode and presents a blank
screen, click Virtual Keyboard icon ‘Ctrl-Alt-Del’ located at left side on CloudShare to
send a keystroke.
CAUTION: The proper use of FortiToken is highly dependent upon time synchronization
between all the devices. It is likely that the virtualized Android tablet in the lab
environment will not have the correct system time. This is easily corrected by using the
installed NTP & GPS Clock application.
7. Click NTP & GPS Clock app on the system tray.

8. Click within the box labelled Accurate time to fetch the current time.
Note: You should see a significant Offset value indicating that the clocks are out of sync.
9. Long press (Click and hold) within the box labelled Offset to synchronize the time
Note: The time offset should now be minimal.
10. Verify that the time is the same on the Windows 10 (Remote) and Android Tablet
(Remote) devices.
11. Close the NTP & GPS Clock application.

12. Open FortiToken Mobile application. Choose ENTER MANUALLY to type the key for token
addition into FortiToken Mobile application.
13. Under FORTINET ACCOUNT, click Fortinet.
14. Enter the email address bob@acmecorp.net
15. To paste the activation code copied earlier, click anywhere in the activation code space
area.
16. Click Virtual Keyboard icon ‘Send Text’ located at left side on CloudShare.
17. In the Send Text window, right-click and click Paste to paste the activation code.
18. Click Send. The activation code should be automatically pasted in the FortiToken Mobile
application. If the full 16-digit code doesn’t get automatically pasted, enter it manually.
Note: Make sure that the 16-digit activation code pasted in the FortiToken Mobile app
matches exactly with the one provided in email. You may need to type the activation
code manually if there is a mismatch.
19. Click Add Account.

20. Click SET PIN.
Note: PIN will be used for secure access to your application and tokens.
21. Enter a four-digit PIN 1234. Confirm the PIN one more time by typing it again.
Note: A token code with a timer should appear which means the FortiToken Mobile has
been successfully set up.
Index: 5.0
UseCase: Configure Remote User Protection
Points: 0
Objective Text:
Introduction
Endpoints are frequently the target of initial compromise or attacks. One recent study found
that 30% of breaches involved malware being installed on endpoints. FortiClient Fabric Agent
strengthens endpoint security through integrated visibility, control, and proactive defense. With
the ability to discover, monitor, and assess endpoint risks, you can ensure endpoint compliance,
mitigate risks, and reduce exposure. FortiClient Fabric Agent proactively defends against
advanced attacks. Its tight integration with the Security Fabric enables policy-based automation
to contain threats and control outbreaks. FortiClient Fabric Agent is compatible with Fabric-
Ready partners to further strengthen enterprises’ security posture.

Index: 5.0 (a)
Objective Title: Deploy Endpoint Protection Profile
Points: 0
Objective Text:
Background
FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution

that enables scalable and centralized management of multiple endpoint devices (computers).
FortiClient EMS is designed to meet the needs of small to large enterprises that deploy
FortiClient Fabric Agent on endpoints. Some of the benefits of deploying FortiClient EMS
include:
· Remotely deploying FortiClient Fabric Agent software to Windows PCs.

· Updating profiles for endpoint users regardless of access location, such as, administering
antivirus, web filtering, VPN, and signature updates.
· Administering FortiClient endpoint registrations, such as, accept, de-register, and block
registrations.
· Managing endpoints, such as, status, system, and signature information.
· Identifying outdated versions of FortiClient Fabric Agent software.
You can manage endpoint security for both Windows and Mac OS X platforms by using a unified
organizational security policy. An organizational security policy provides a full, understandable
view of the security policies defined in the organization. You can see all policy rules,
assignments, and exceptions in a single unified view.
Tasks
12. From Jumpbox Server, login into FortiClient EMS server at https://192.168.0.125 or use
2. Click Endpoint Profiles > Manage Profiles.
3. Click Add at top right corner.

4. Enter Profile Name: Teleworkers_VPN
13. Click Advanced.
14. Click Malware and turn on AntiVirus Protection
7. Click Sandbox and turn on Sandbox Detection.
8. Click Cloud.
9. Click Web Filter and turn on Web Filter.

10. Scroll down to Site Categories. Click + to expand Adult/Mature Content FortiGuard web
category.
11. Click drop-down icon beside Gambling web category and click Allow.
Note: The blocked category is being allowed to demonstrate FortiClient EMS Endpoint
control in a later exercise.
12. Click Firewall and turn on Application Firewall.
13. Click VPN and make sure VPN is turned on.
14. Click Vulnerability Scan make sure it’s turned on.
15. Click System Settings.
16. Under UI, turn on Require Password to Disconnect from EMS.
17. Enter Password Fortinet1!
18. Click Save.
Index: 5.0 (b)
Objective Title: Create Endpoint Policy
Points: 10
Objective Text:
Background
Endpoint policies makes it simpler to provision endpoints. You can now create and manage
endpoint policies to assign profiles and/or Telemetry gateway lists to domains, OUs, and
workgroups. You can also create and manage Chromebook policies to assign profiles to Google
domains.
Tasks
15. Click Endpoint Policy > Manage Policies.
16. Click Add.
· Endpoint policy name: Teleworkers
· Endpoint domains: Click Edit > Checkmark dc=acmecorp,dc=net > Save

Note: acmecorp.net domain has been pre-configured and added to FortiClient
EMS under Endpoints > Domains.
· Endpoint workgroups: Click Edit > Checkmark All Groups > Save
· Endpoint profile: Default
· Endpoint profile (Off-net): Teleworkers VPN

Note: This profile is applied when the endpoint is off-network.
· On-Net Detection Rules: On-Net

· Telemetry gateway list: FortiGate-Edge.
· Click Save.
4. Click Change Priority located at top right corner.
5. Click on three dots icon and drag your mouse to move Teleworkers policy to the top of
the list.
6. Click Save Priority.

Stop and Think
Question: Which of the following subnets (pre-configured) determines if the endpoint is On-
Net? (Choose One)
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 4
Hint Text:
Hint
On the EMS check Policy Components > On-net Detection Rules
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
The endpoint has a status of on-net when the endpoint is inside one of the on-net subnets
defined in the FortiClient EMS under Policy Components > On-net Detection Rules. In this case,
On-Net-HQ-172.16.100.0/24 rule (pre-configured) defines any endpoint outside of
172.16.100.0/24 (HQ’s DC_Network) should be considered off-net.
Answer Key:
2
Index: 6.0
UseCase: Demonstrate Remote User Secure Productivity
Points: 0
Objective Text:
Introduction
While working remotely employees need to utilize corporate resources and safely traverse the
internet from a remote location such as their home, a coffee shop, an airport, or customer
location. In the previous exercises you have addressed the need for a secure and private
connection across the public internet, as well as the ability to verify identity to the organization
when connecting to the network, sensitive applications, or protected data.
In the following exercises you will now demonstrate the power and protection these simple
efforts can bring to your organization and remote users.

Index: 6.0 (a)
Objective Title: Establish Remote Connection
Points: 0
Objective Text:
Background
Using FortiClient and the FortiToken Mobile application remote users can quickly and securely
connect to the corporate network.
Tasks
Establish IPsec VPN Connection
18. Login to Windows 10 (Remote) via CloudShare tab.
19. Click CON icon located at left on CloudShare under Remote Access Controls to switch to
console connection.
Note: When initiating a remote VPN connection, RDP connectivity will be lost as new
routes are injected into the routing table.
3. Click Send Ctrl-Alt-Delete icon located at left on CloudShare under Virtual Keyboard.
4. Login to the Windows machine using Bob’s credentials:
Username: bob Password: Fortinet1!
5. Open FortiClient on desktop.

Note: WEB FILTER is turned off and various other profiles such as antivirus, application
control etc. are missing.
6. Enter EMS IP 100.64.1.101 and click Connect.
Note: Within a few seconds, FortiClient Fabric Agent would sync with the EMS server via
Telemetry and start receiving configuration updates. All protection profiles such as
Malware Protection, Sandbox Detection, Web Filter, Application Firewall would be
enabled.
7. Click REMOTE ACCESS > Configure VPN.
· VPN: IPsec VPN
· Connection Name: HQ-VPN
· Remote Gateway: 100.64.1.101
Note: This is the IP address of the WAN interface on FortiGate-Edge
· Authentication Method: Pre-shared key
· Enter Pre-shared key Fortinet1!
· Authentication (XAuth): Prompt on login
9. Click Save.
Login into HQ-VPN
20. Enter Username bob@acmecorp.net
21. Type Password Fortinet1!
Note: If username/password prompt hasn’t showed up, navigate to any other section in
FortiClient and then click Remote Access.
3. Click Connect.
Note: Since you enforced two-factor authentication for user bob on FortiGate-Edge, a
prompt will come up asking for Token code.
4. Go to Android Tablet via CloudShare tab.
5. If the screen is in sleep mode, click Send Ctrl-Alt-Delete icon located at left on
CloudShare under Virtual Keyboard to wake it up.
6. Open FortiToken Mobile application to view the six-digit code.
Note: If asked for a PIN, enter 1234. If the token code is not visible, click on eye icon to
view the code. If the timer is about to expire, wait for a new code because by the time
you enter the token code into FortiClient, it would have already expired.
7. Enter the six-digit token code in FortiClient.
8. Click OK. The VPN connection should be up. FortiClient console would be minimized and
can be viewed from system tray.
Index: 6.0 (b)
Objective Title: Secure Access to Corporate Resources
Points: 0
Objective Text:
Background
Once connected access to remote folders, files and other network resources is as seamless as
being in the office.
Tasks
22. Now that the VPN is up and running, in the Start > Run dialog box on remote Windows
10 Remote, type the path \\172.16.100.10\Marketing.
Note: 172.16.100.10 is the IP address of Windows Server 2012 sitting in the HQ office.
Since you are connected to HQ through VPN, you will have access to HQ resources, for
example, SMB file shares, shared folders etc. in the same manner as you would have
while sitting in your cubicle locally in HQ itself.
2. Click OK.
3. You can download/upload (copy/paste) the Expense_Report_Feb_2020 on your desktop

and work on it from home or any remote location.
Index: 6.0 (c)
Objective Title: Protect Endpoints
Points: 0
Objective Text:
Background
Working remotely does not mean that users need to sacrifice security. Security policies for
remote vs. local users can be exactly the same, or adjusted to account for individual work
requirements.
Tasks
23. Open Google Chrome browser.

Note: DON’T add the web filter Chrome extension if you see installation prompt.
24. Click betway bookmark.
Note: Access to gambling website would be allowed as we purposely allowed this web
category while configuring endpoint profile in FortiClient EMS.
25. Close the web browser.
26. From Jumpbox server, login into FortiClient EMS server via browser bookmark.
27. Click Endpoint Profiles > Manage Profiles.
6. Select Teleworkers VPN profile and click Edit.
7. Click Web Filter.
8. Scroll down to Site Categories. Click + to expand Adult/Mature Content FortiGuard web
category.
9. Click drop-down icon beside Gambling web category and click Block.
10. Click Save.
11. Click Endpoints > All Endpoints.
12. Click user bob and view Summary to see device information, location, policy
configuration, FortiClient version, AV or application control signature versions, events
and much more.
Note: FortiClient EMS provides visibility across the network to securely share
information and assign security profiles to endpoints.
13. Click checkmark box to select Bob’s Windows 10 machine.
14. Click Scan to view the available AV scan and Vulnerability scan options.
Note: Running the Vulnerability Scan from a centralized EMS server allows
administrators to get a good idea of high risk hosts and critical vulnerabilities existing on
endpoints. It also provides links on how to fix or repair the vulnerabilities.
15. Click Vulnerability Scan to start a vulnerability scan on Bob’s Windows 10 (Remote) host.
Note: Let the scan run in background as it would take some time for the scan to finish
successfully. Please continue to the next step.
16. Login to Windows 10 Remote.
17. Open Google Chrome.
Note: DON’T add the web filter Chrome extension if you see installation prompt.
18. Click betway browser bookmark.
19. A certificate error comes up. Click Advanced to proceed to website.
20. A block page appears which means access to gambling website has been blocked by the
FortiClient web filter.
Note: EMS pushed configuration updates to FortiClient after change was made to
Teleworkers endpoint profile’s web filter. Also, if you remember, you enabled split tunnel
option for Teleworkers IPsec VPN. So, Windows 10 Remote machine’s all internet traffic
is routed through local ISP router. In such scenarios, FortiClient can successfully provide
critical protection to corporate assets without overloading your organization’s Edge
firewall.
21. Open FortiClient console and click VULNERABILITY SCAN to see critical, high, medium
and low risk vulnerabilities detected on Windows 10 (Remote).
Note: If vulnerability scan is still in progress, please continue to the next objective. Once you
have completed all the use cases, you can always come back to check again. For more
information on patching vulnerabilities, endpoint grouping/tagging and additional endpoint
management functionalities that FortiClient EMS offers, do consider having a look at the
Endpoint Solution Fast Track.
Index: 6.0 (d)
Objective Title: Remote Telephony
Points: 0
Objective Text:
Background
FortiFone provides unified voice communications with VoIP connectivity that is secured and
managed via FortiGate NGFWs. The FortiFone soft client interface allows users to make or
receive calls, access voicemail, check call history, and search the organization’s directory right
from a mobile device.
In this exercise you will demonstrate how workers can still access their office extension even
when working remotely.
Tasks
Configure Soft Phone Extension on FortiVoice
28. From Jumpbox Server, login to FortiVoice server at https://192.168.0.15/admin or use

2. Click Extension > Extension > IP Extension.
Note: A soft phone extension for alice (ext. 5000) sitting on Windows Server (HQ) has
been pre-configured.
3. Click New and use the following information:
· Number: 5500
· Display name: bob
4. Click Soft Phone.

5. Set License Allocation: 1
6. Click Create.
Verify Soft Phone Registration Settings

29. Click Extension > Extension > IP Extension.
30. Select entry with Display Name bob and click Edit.
31. Click Soft Phone.
32. Click Desktop [View Login Information].

Register FortiFone to FortiVoice
33. Login to Windows 10 (Remote).

Note: Make sure RDP connection under Remote Access Controls is selected. You may
need to log out user bob from console (CON) connection.
2. On the left side of the screen, under Sound, choose Enabled with High Quality from the
drop-down list.
3. Open FortiFone desktop application.

Note: Make sure HQ-VPN connection is up. If the VPN is down, establish the VPN
connection again before moving onto the next step.
4. Register the FortiFone as follows:
· Server: 172.16.100.15
Note: Since, you are connected to the HQ-VPN, FortiFone can register to the
FortiVoice server’s local IP address in the DC_Network.
· Username: 5500
Note: 5500 is the IP extension configured earlier for user bob
· Password: 12345
5. Click Login.
34. Once the FortiFone is successfully registered, type Alice’s extension 5000 using keypad
and click dial button.
7. Login into Windows Server (HQ) and you should see an incoming call from Bob.
Note: If you decide to pick up the FortiFone installed on Windows Server (Alice), the call
will drop and an error prompt ‘Microphone not detected' will show up on Alice’s
FortiFone. This is expected behavior. The issue is due to hardware limitations in the
hosted lab environment and is not representative of production use. The setup would
work seamlessly in a real production environment. The sole purpose of this whole lab
objective is just to demonstrate that remote telephony can be established using
FortiVoice and FortiFones and the task goal has been accomplished successfully.
Index: 7.0
UseCase: Conclusion
Objective Title: Review
Points: 0
Objective Text:
Review
After completing this Fast Track module, you should understand how to:
· Configure two-factor authentication necessary for secure access
· Create an inbound VPN policy on FortiGate that allows teleworkers to tunnel back to
corporate headquarters
· Configure Fortinet Endpoint Management Server (EMS) to protect remote users as
effectively as if they were located at the corporate office
· Demonstrate successful operation of these critical functions
Index: 7.0 (a)
UseCase: Conclusion
Objective Title: End of Session
Points: 0
Objective Text:
You have successfully completed the
Fortinet Engineered for Remote and Secure

Productivity
Hands-On Lab
Thank You
To get more information on this or other Fortinet solutions, please consider

looking at Fortinet's NSE training.
Please take a moment to complete our short survey located within web portal tab above.

FFT - Fortinet Teleworker Solution Engineered For Remote and Secure Productivity Exported Lab Guide

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

FFT - Fortinet Teleworker Solution Engineered For Remote and Secure Productivity Exported Lab Guide

Transféré par

Droits d'auteur :

Formats disponibles

Index: 1.

Fortinet Teleworker Solution

· Configure two-factor authentication necessary for secure access

Create New FortiToken Mobile Tokens

2. From the Jumpbox Server, login to FortiAuthenticator at https://192.168.0.129 or use

Username: admin Password: Fortinet1!

2. Click Authentication > User Management > FortiTokens.

3. Click Create New.

4. Select Token Type: FortiToken Mobile.

5. Turn on Get FortiToken Mobile free trial tokens.

Assign FortiToken to user account

3. Click Authentication > User Management > Remote Users.

4. Click checkbox beside user bob.

4. Turn on Token-based authentication and choose the following:

· Deliver token code by: FortiToken

· FortiToken Mobile: FTKMOBxxxxx

· Activation delivery method: Email

Stop and Think

----------------------- Hint 1 Section -----------------------

In this exercise you just administered FortiToken through FortiAuthenticator

FortiAuthenticator provides centralized authentication services including SSO services,

----------------------- Hint 2 Section -----------------------

FortiToken Cloud provides everything needed for two-factor in a FortiGate environment

Key Features include:

· Manage two-factor deployments from provisioning to revocation

· No additional onsite hardware, software, or ACL changes

· Easy expand and grow as needed.

----------------------- Hint 3 Section -----------------------

FortiTokens can even be managed directly on the FortiGate Devices themselves.

So, all answers are correct (a, b, c)

----------------------- Answer Section -----------------------

Answers a, b and c are all correct.

FortiToken is The Source of Identity for the Security Fabric.

This Solution Offers:

Configure Radius Server on FortiGate

6. Login to FortiGate-Edge at https://192.168.0.101 via the browser bookmark.

Username: admin Password: Fortinet1!

· Primary Server IP/Name: 172.16.100.129

3. Click Test Connectivity to make sure it returns Connection Successful.

Configure Remote User Group

2. Under Remote Groups, click Add.

· Groups: Any (Leave it set to default)

Stop and Think

----------------------- Answer Section -----------------------

Time to Complete: 5 minutes

· Template Type: Remote Access

· User group: IPsec_VPN_Users

Stop and Think

Time to Complete: 5 minutes

1. Login to Windows 10 (Remote).

2. Open Mozilla Thunderbird.

5. Close Mozilla Thunderbird.

7. Click NTP & GPS Clock app on the system tray.

11. Close the NTP & GPS Clock application.

13. Under FORTINET ACCOUNT, click Fortinet.

14. Enter the email address bob@acmecorp.net

19. Click Add Account.

Time to Complete: 10 minutes

FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution

· Remotely deploying FortiClient Fabric Agent software to Windows PCs.

2. Click Endpoint Profiles > Manage Profiles.

3. Click Add at top right corner.

13. Click Advanced.