This example illustrates how to configure a FortiGate to use LDAP authentication to authenticate remote SSL VPN users. With a properly configured LDAP server, user and authentication data can be maintained independently of the FortiGate, accessed only when a remote user attempts to connect through the SSL VPN tunnel.
- Downloading and installing FSSO agent in the LDAP server
- Registering the LDAP server on the FortiGate
- Configuring Single Sign-On on the FortiGate
- Importing LDAP users
- Creating the SSL VPN user group
- Creating the SSL address range
- Configuring the SSL VPN tunnel
- Creating security policies
- Results
- Downloading and installing FSSO agent in the LDAP server
The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown below)
Download and install FSSO client on your Domain Controller, find a download link here:
https://support.fortinet.com/Download/FirmwareImages.aspx
Accept the license and follow the Wizard. Enter the Windows AD administrator password.
Click Next, select the Advanced Access method
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC Agent mode.
Reboot the Domain Controller.
Upon reboot, the collector agent will start up.
You can choose to Require authenticated connection from FortiGate and set a Password.
2. Registering the LDAP server on the FortiGate
Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.
3. Configuring Single Sign-On on the FortiGate
Go to User & Device > Authentication > Single Sign-On and create a new SSO server.
Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.
4. Importing LDAP users
Go to User & Device > User > User Definition, and create a new user, selecting Remote LDAP User.
Choose your LDAP Server from the dropdown list.
You will be presented with a list of user accounts, filtered by the LDAP Filter to include only common user classes.
5. Creating the SSL VPN user group
Go to User & Device > User > User Groups to create a new FSSO user group.
6. Creating the SSL address range
Go to Policy & Objects > Objects > Addresses, and create a new address.
Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses you want to assign to SSL VPN clients. Select Any as the Interface.
Then create another Address for each Subnet or IP Range within your internal network to which remote users will connect.
7. Configuring the SSL VPN tunnel
Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal
Source IP pools > select from the drop down menu > SSL address range created above (point#6)
Go to VPN > SSL > Settings.
Under Connection Settings set Listen on Port to 443.
Under Authentication/Portal Mapping, select Create New.
Assign the LDAP group user group to the full-access portal
8. Creating security policies
Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy.
9. Results
Click on VPN client > Select SSl-VPN > click on New VPN > Give Connection Name
Type the IP Address of Remote Gateway ( WAN IP Address)
Click customize the port( default port# 443)
Click on Do not Warn Invalid Server Certificate
Click > Apply and close
Open the Forticlient >
Type your LDAP credentials and click on Connect.
That’s it.
Happy Browsing!!
Check this video for detailed information about installation,
source: FortiGate
lakkireddymadhu 