Fortigate SSL VPN With LDAP User Authentication
Fortigate SSL VPN With LDAP User Authentication
Fortigate SSL VPN With LDAP User Authentication
This is a sample configuration of remote users accessing the corporate network and internet
through an SSL VPN by tunnel mode using FortiClient.
Sample topology
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can
also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN
interface.
1. Configure the interface and firewall address. The port1 interface connects to the internal
network.
4. Click OK.
2. Go to User & Device > User Groups to create a group sslvpngroup with the member
sslvpnuser1.
1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-
portal.
6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-
full-tunnel-portal.
2. Fill in the firewall policy name. In this example, sslvpn full tunnel access.
8. Click OK.
2. Configure the internal interface and protected subnet, then connect the port1 interface to the
internal network.
3. config system interface
4. edit "port1"
5. set vdom "root"
6. set ip 192.168.1.99 255.255.255.0
7. next
end
4. Configure SSL VPN web portal and predefine RDP bookmark for windows server.
5. config vpn ssl web portal
6. edit "my-full-tunnel-portal"
7. set tunnel-mode enable
8. set split-tunneling disable
9. set ip-pools "SSLVPN_TUNNEL_ADDR1"
10. next
end
6. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
Traffic is dropped from internal to remote client.
7. config firewall policy
8. edit 1
9. set name "sslvpn web mode access"
10. set srcintf "ssl.root"
11. set dstintf "port1"
12. set srcaddr "all"
13. set dstaddr "all"
14. set groups “sslvpngroup”
15. set action accept
16. set schedule "always"
17. set service "ALL"
18. next
end
o Set Remote Gateway to the IP of the listening FortiGate interface, in this example,
172.20.120.123.
6. Use the credentials you've set up to connect to the SSL VPN tunnel.
7. After connection, all traffic except the local subnet will go through the tunnel FGT.
8. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL
entry.
The documentation was pretty inaccurate/unclear on a lot of this, so there was a bit of trial
and error. This assumes you're already familiar with setting up SSL VPN and already have it
working with local user accounts. Here's how you do it:
Pre-requisites
You need your SSL VPN portal and settings configured already
You should also have already created your SSL VPN policy (allowing from the SSL
VPN interface to your LAN)
The above requires you to add a user or group already, you can re-use that group for
the items below if desired
Set up LDAP Server
I'm using Active Directory, but you can use any LDAP based directory service. The example
below assumes your AD domain is domain.local.
Testing
At this point you should be done, because you already set up your SSL VPN, right? You
should be able to log in as the user now, you can go to Log & Report > VPN Events to see
what the error is if you're not able to log in. You can also use the command diag test
authserver ldap "YOUR LDAP SERVER NAME" [email protected]
yourpassword to do a direct test.
SSL VPN with LDAP-integrated certificate authentication
This is a sample configuration of SSL VPN that requires users to authenticate using a
certificate with LDAP UserPrincipalName checking.
This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer,
the certificate authority, and the LDAP server.
Sample topology
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can
also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN
interface.
In this sample, the User Principal Name is included in the subject name of the issued
certificate. This is the user field we use to search LDAP in the connection attempt.
To use the user certificate, you must first install it on the user’s PC. When the user tries to
authenticate, the user certificate is checked against the CA certificate to verify that they
match.
Every user should have a unique user certificate. This allows you to distinguish each user and
revoke a specific user’s certificate, such as if a user no longer has VPN access.
To install the server certificate:
The server certificate is used for authentication and for encrypting SSL VPN traffic.
o Choose the Certificate file and the Key file for your certificate, and enter the
Password.
The CA certificate is the certificate that signed both the server certificate and the user
certificate. In this example, it is used to authenticate SSL VPN users.
1. Configure the interface and firewall address. The port1 interface connects to the internal
network.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet
192.168.1.0.
Set Password.
When you have create a PKI user, a new menu is added to the GUI.
2. Go to User & Device > User > User Groups and create a group sslvpn-group.
3. Add the PKI peer object you created as a local member of the group.
4. Add a remote group on the LDAP server and select the group of interest.
You need these users to be members using the LDAP browser window.
2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the
FortiGate.
2. Fill in the firewall policy name. In this example, sslvpn certificate auth.
5. Set the Outgoing Interface to the local network interface so that the remote user can
access the internal network. In this example, port1.
8. Enable NAT.
2. Configure internal interface and protected subnet, then connect the port1 interface to the
internal network.
3. config system interface
4. edit "port1"
5. set vdom "root"
6. set ip 192.168.1.99 255.255.255.0
7. next
8. end
9. config firewall address
10. edit "192.168.1.0"
11. set subnet 192.168.1.0 255.255.255.0
12. next
end
7. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
8. config firewall policy
9. edit 1
10. set name "sslvpn web mode access"
11. set srcintf "ssl.root"
12. set dstintf "port1"
13. set srcaddr "all"
14. set dstaddr "192.168.1.0"
15. set groups “sslvpn-group”
16. set action accept
17. set schedule "always"
18. set service "ALL"
19. set nat enable
20. next
end
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
o Set Remote Gateway to the IP of the listening FortiGate interface, in this example,
172.20.120.123.
Connecting to the VPN only requires the user's certificate. It does not require
username or password.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the SSL VPN connection using the CLI:
Below is a sample output of diagnose debug application fnbamd -1 while the user connects. This is a
shortened output sample of a few locations to show the important parts. This sample shows
lookups to find the group memberships (three groups total) of the user and that the correct
group being found results in a match.
You can also use diagnose firewall auth list to validate that a firewall user entry exists for the SSL
VPN user and is part of the right groups.
The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown
below)
Download and install FSSO client on your Domain Controller, find a download link here:
https://support.fortinet.com/Download/FirmwareImages.aspx
Accept the license and follow the Wizard. Enter the Windows AD administrator password.
You can choose to Require authenticated connection from FortiGate and set a Password.
Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.
Go to User & Device > User > User Definition, and create a new user, selecting Remote
LDAP User.
You will be presented with a list of user accounts, filtered by the LDAP Filter to include only
common user classes.
Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses
you want to assign to SSL VPN clients. Select Any as the Interface.
Then create another Address for each Subnet or IP Range within your internal network to
which remote users will connect.
Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal
Source IP pools > select from the drop down menu > SSL address range created above
(point#6)
9. Results
In this recipe, you will configure a site-to-site IPsec VPN that allows access to the remote
endpoint via SSL VPN. This involves a pre-existing user group, a tunnel-mode SSL VPN
with split-tunneling, and a route-based IPsec VPN between two FortiGates.
In the example, all sessions need to start from the SSL VPN interface. If you want sessions to
start from the FGT_2 subnet, you will need more policies. Furthermore, if the remote subnet
is beyond FGT_2 (if you have to cross multiple hops), you will need to include the SSL VPN
subnet in those routers as well.
Set the Authentication Method to Pre-shared Key and enter the pre-shared key.
Set Local Interface to the internal interface and set Local Subnets to include the internal
and SSL VPN subnets for FGT_1.*
Set Remote Subnets to include the internal subnet for FGT_2.
A summary page shows the configuration created by the wizard, including firewall address
groups (for both local subnets as well as the remote subnet), static routes, and security
policies.
Under Tunnel Mode Client Settings, enable Specify custom IP ranges and include the SSL
VPN subnet range created by the IPsec VPN wizard.*
Under Authentication/Portal Mapping, add the VPN user group to the tunnel-access portal.
Set All Other Users/Groups to the web-access portal.
Turn on Enable Split Tunneling so that only traffic intended for the local or remote
networks will flow through FGT_1 and be subject to the corporate security profiles.
Next to Routing Address, add the local and remote IPsec VPN subnets created by the IPsec
VPN wizard.
Next to Source IP Pools, add the SSL VPN subnet range created by the IPsec VPN wizard.*
Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user
group.
Set Destination to the local IPsec VPN subnet (which represents the internal subnet).
Disable NAT.
Create another policy that allows SSL VPN users access to the IPsec VPN tunnel.
Set Incoming Interface to ssl.root and set Outgoing Interface to the IPsec tunnel interface
(in this case, Site1).
Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user
group.
Disable NAT.*
5. Configuring the site-to-site IPsec VPN on FGT_2
Go to VPN > IPSec Wizard.
Set the Authentication Method to Pre-shared Key and enter the pre-shared key that matches
the FGT_1 configuration.
Set Local Interface to the internal interface and set Local Subnets to include the internal
network subnet for FGT_2.
Set Remote Subnets to include the internal and SSL VPN subnets for FGT_1.*
A summary page shows the configuration created by the wizard, including firewall address
groups (for the local subnet as well as both remote subnets), static routes, and security
policies.
6. Results
Go to Monitor > IPsec Monitor, highlight the tunnel, and select Bring Up.
Configure the SSL VPN connection on the user’s FortiClient and connect to the tunnel.
Using Command Prompt/Terminal on the user’s computer, send a PING through the tunnel
to the remote endpoint and confirm access.
Go to Monitor > Routing Monitor and verify the routes for the IPsec and SSL VPNs were
added.
Go to Monitor > SSL-VPN Monitor and verify the user connectivity.
Go to Log & Report > VPN Events and view the IPsec and SSL tunnel statistics.
Right-click an entry and select Drill Down to Details for more information about a
connection.*
7. Debug
In order to diagnose potential issues, run the following debug commands on FGT_1 using the
CLI Console:
diag debug reset
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow filter addr 192.168.177.99
diag debug flow filter proto 1
diag debug flow trace start 2
diag debug enable
Send a PING through the SSL VPN tunnel to 192.168.177.99 and analyze the output of the
debug. Disable the debug output with the following command:
If the traffic is entering the correct VPN tunnel on FGT_1, then run the same commands on
FGT_2 to check whether the traffic is reaching the correct tunnel. If it is reaching the correct
tunnel, confirm that the SSL VPN tunnel range is configured in the remote side quick mode
selectors.
You can also run a sniffer command on FGT_1 as follows:
When you are satisfied with the debug output, disable the debug as follows:
This is a sample configuration of SSL VPN that uses FortiToken mobile push two-factor
authentication. If you enable push notifications, users can accept or deny the authentication
request.
Sample topology
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can
also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN
interface.
1. Configure the interface and firewall address. The port1 interface connects to the internal
network.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet
192.168.1.0.
2. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click
it and select Register.
3. Every FortiGate has two free mobile tokens. Go to User & Device > FortiTokens and
click Import Free Trial Tokens.
1. Ensure server-ip is reachable from the Internet and enter the following CLI commands:
2. config system ftm-push
3. set server-ip 172.20.120.123
4. set status enable
end
5. Click OK.
1. Go to User & Device > User Definition to create a local user sslvpnuser1.
3. Enable Two-factor Authentication and select one mobile Token from the list,
6. Go to User & Device > User Groups to create a group sslvpngroup with the member
sslvpnuser1.
2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the
FortiGate.
5. Under Authentication/Portal Mapping, set default Portal web-access for All Other
Users/Groups.
2. Fill in the firewall policy name. In this example, sslvpn certificate auth.
5. Set the Outgoing Interface to the local network interface so that the remote user can
access the internal network. In this example, port1.
8. Enable NAT.
1. From a remote device, use a web browser to log into the SSL VPN web portal
http://172.20.120.123:10443.
The FortiGate pushes a login request notification through the FortiToken mobile
application.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.
4. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user connection.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
o Set Remote Gateway to the IP of the listening FortiGate interface, in this example,
172.20.120.123.
The FortiGate pushes a login request notification through the FortiToken mobile
application.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the web portal login using the CLI:
get vpn ssl monitor
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0
Vous souhaitez que vos utilisateurs nomades aient toujours accès aux applications présentes au sein
de votre entreprise au travers d’un navigateur web? Dans ce tutoriel, je vais vous montrer comment
configurer un Firewall Fortinet (Fortigate) puis nous allons mettre en place un tunnel VPN SSL sur
celui-ci afin qu’un utilisateur externe à votre réseau puisse avoir accès à des applications bien
spécifiques.
Grâce au VPN SSL que nous allons configurer, nous allons donner l’autorisation aux utilisateurs de se
connecter sur certains équipements du réseau interne
Général
Connexion
Commencez par vous connecter sur l’interface d’administration du Firewall. Entrez
l’adresse IP de votre firewall sur un navigateur Web. Pour vous connecter, les identifiants par
défaut sont « admin » pour le login et le champ password sera vide.
Configuration des interfaces
Je commence par configurer l’interface WAN qui sera connectée sur mon port physique
1. Pour le champ « Role » sélectionnez « WAN » et dans la partie « IP/Network Mask »
remplacez « X.X.X.X » par l’adresse IP et « Y.Y.Y.Y » par le masque associé.
il faut ensuite configurer l’interface LAN. Dans le champ « Role », renseignez « LAN »
puis dans la partie « IP/Network Mask » renseignez l’adresse IP que vous allez affecter à
votre firewall ainsi que le masque associé.
Liaison LAN – WAN
Nous allons maintenant créer une règle afin d’autoriser le trafic du LAN vers le WAN.
Allez dans le menu « IPv4 Policy » et cliquez sur « Create New » :
Dans cette règle, nous allons autoriser tout le trafic du LAN à aller sur le WAN. Dans un
environnement réel, vous devez restreindre les flux à vos besoins.
Vous devriez avoir une configuration comme ci-dessous. Cliquez sur « OK » en bas de la page
pour appliquer vos changements.
Dans le menu « SSL-VPN Settings », remplissez les champs comme ci-dessous. Sélectionnez bien
l’interface Wan pour l’écoute (port 1 dans ce tutoriel) :
Création des règles de Firewall
Retournez dans le menu « IPv4 Policy » et cliquez sur « Create New » :
Après toute cette configuration, c’est le moment de tester! Accédez à votre VPN SSL via
un navigateur web en saisissant l’adresse suivante : https://[VOTRE_IP_PUBLIQUE]. Vous
devriez voir une page de demande de login s’afficher. Saisissez les identifiants de l’utilisateur
créé au début de ce tutoriel
Maintenant que vous êtes connecté à votre VPN SSL, vous allez pouvoir tester que le raccourci
que vous avez créé fonctionne. Cliquez sur « GUI_FW.
The recipe assumes that an LDAP server has already been configured and connected on the
FortiGate, containing the user ‘bwayne’. For instructions on configuring FortiAuthenticator as
an LDAP server, see LDAP authentication for SSL VPN with FortiAuthenticator.
Enter a name for the user group, and under Remote Groups, select Create New.
Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups
to the desired portal.
If it is not already available, create another policy allowing internal access to the Internet.
4. Results
On your Android smartphone, open the FortiClient app and create a new VPN.
Give the VPN a name (in the example, SSL to 121.56), and set the VPN Type to SSL VPN. Select Create.
The SSL VPN settings will appear. Set Server to the IP of the FortiGate (in the example,
172.20.121.56), and set the Port to 10443.
Set Username to the desired LDAP user (in the example, bwayne), and set the user’s
password.
Return to FortiClient’s list of VPN Tunnels, and connect to the newly created SSL VPN.
User ‘bwayne’ is now connected to the SSL VPN tunnel and can securely browse the Internet.