KB ID 0001725
Problem
FortiGate Remote Access (SSL–VPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like;
Note: I’ve changed the FortiGates default management HTTPS port from 443 to 4433 (before I started). This was to let me use the proper HTTPS port of 443 for remote access SSL VPN. I suggest you also do this, as running SSL-VPN over an ‘odd’ port may not work from some locations. See the following article;
FortiGate: Change the HTTPS Management Port
Certificate: I’m also using a self signed certificate on the FortiGate, in a production environment you may want to purchase a publicly signed one!
Step 1: FortiGate LDAPS Prerequisites
Before we start, we need to make sure your firewall can resolve internal DNS. (Because the Kerberos Certificate name on your Domain Controller(s) gets checked, when doing LDAPS queries, if you DON’T want to do this then disable server identity check when you setup your LDAP server below). Or you can add the IP address to the servers Kerberos certificate as a ‘Subject Alternative Name‘ but thats a bit bobbins IMHO
Network > DNS > Specify > Add in your ‘Internal” DNS servers > Apply.
Certificate Prerequisites
To perform LDAPS the FortiGate needs to trust the certificate(s) that our domain controller(s) use. To enable that you need a copy of the CA Certificate, for the CA that issued them. At this point if you’re confused, you might want to run through the following article;
Get Ready for LDAPS Channel Binding
So to get a copy of your CA cert on a Windows CA server use the following command;
[box]
certutil -ca.cert My-Root-CA-Cert.cer
[/box]
To ‘Import‘ the certificate into the Fortigate > System > Certificates > Import > CA Certificate.
File > Upload > Browse to your CA Certificate > Open > OK.
Take note of the certificate name, (CA_Cert_1 in the example below,) you will need this information below.
Step 2: Allow FortiGate LDAPS Authentication (Active Directory)
User & Authentication > LDAP Servers > Add.
- Name: Something Sensible!
- Server IP/Name: Use the FQDN of the server (or you need to put the IP on the Kerberos certificate as a SAN!)
- ServerPort: 636 (We’re not using 389 LDAP is NOT secure!)
- Common Name Identifier: sAMAccountName
- Distinguished Name: Enter the DN for either the top level of your domain or an OU that’s got all your users/groups in.
- Bind Type: Regular.
- Username: in DOMAIN\username format Note: A normal domain user account is sufficient it DOES NOT need to be a domain administrator.
- Password: For the above user.
- Secure Connection: LDAPS.
- Certificate: Select YOUR CA Certificate.
- Server Identity Check: Enabled.
Click ‘Test Connectivity‘ It should say successful, then you can check some other domain user credentials as a test > OK.
Domain / Active Directory Setup
Over in my Active Directory I’ve created a security group called GS-VPN-Users, and put my user object into it.
Now I need to create a FIREWALL GROUP and add my ACTIVE DIRECTORY GROUP to that. User & Authentication > User Groups > Create New.
- Name: Something sensible!
- Type: Firewall
Remote Groups > Add.
Change the Remote Server drop down list to be your LDAPS Server > Browse to your ACTIVE DIRECTORY GROUP, right click and Add Selected (Cheers, that took me three goes to find FortiNet!) > OK.
All being well you should see your LDAPS server AND the distinguished name of your AD group, (check that’s not missing!) > OK.
Step 3: Setup FortiGate SSL-VPN
First we need an SSL Portal > VPN > SSL-VPN Portals > Create New.
- Name: Something sensible!
- Enable Split Tunnelling: Enabled. (If you don’t do this then remote clients need to come though the FortiGate for web access, I usually enable split tunnel).
- Source IP Pools: Add Then Create.
Address.
- Name: Something sensible!
- Type: IP Range
- IP Range: The subnet you want to use. (Note:If you are routing on your LAN, make sure there’s a route back to the FortiGate for this subnet or bad things will happen!)
- Interface: SSL-VPN tunnel interface
OK.
Enter a portal message, (the header on the page once a remote user connects) > Enable FortiClient download > OK.
If you see the following error, that’s because on some smaller firewalls, (like the 40F) there can only be one, so you need to edit the one that is there by default.
Maximum number 0f entries has been reached.
FortiGate SSL-VPN Settings
VPN > SSL-VPN Settings > Listen on Interfaces.
Set to the outside (WAN) interface > Address Range > Specify custom IP Ranges > IP Ranges > Add in the pool you created above.
DNS Server > Specify > Add in your internal DNS servers > Authentication Portal Mapping > Create New.
- Users/Groups: Your AD GROUP.
- Portal: Your Portal
OK.
Apply (Note: If it complains ‘All Other User/Group‘ is not configured, set that to web-access (as shown).
FortiGate SSL-VPN Firewall Policy
Policy & Objects > Firewall Policy (or IPV4 Policy on older versions) > Create New.
- Name: Something sensible.
- Incoming Interface: SSL-VPN Tunnel Interface.
- Outgoing Interface: Inside (LAN).
- Source: Your remote IP Pool AND your FIREWALL GOUP.
- Destination: Local LAN (remember if you want DMZ access, add that in also)
- Schedule: Always
- Action: Accept
- NAT: Disabled
- Generate logs when session starts: Enabled
OK.
Step 4: Test FortiGate SSL-VPN
From your remote client, browse to the public IP/FQDN of the firewall and log in, you should see the SSL-VPN portal you created, and have the option to download the FortiClient (VPN) software for your OS version.
Install the FortiClient (Note: This is only the VPN component not the full FortiClient).
Remote Access > Configure VPN.
- VPN: SSL-VPN.
- Connection Name: Something sensible.
- Remote Gateway: IP or FQDN of the FortiGate.
- Authentication: Prompt on Logon (unless you want it to remember).
- Do not warn invalid Server Certificate: Enabled (Unless you are using a publicly signed certificate on your FortiGate).
Save.
Then test connection, make sure you can ping internal IP addresses and DNS names.
Related Articles, References, Credits, or External Links
NA