Force Remove FortiClient

Remove FortiClient KB ID 0001804

Problem

I don’t know if its’ just bad coding, or an attempt at security, but the fact that the ‘uninstall’ option is missing from add remove programs for the FortiClient is a bit annoying.

Remove FortiClient Solution

While attempting to remedy this I came across the following command, which is supposed to remove the client software, which it did NOT do, but it did give me the option to uninstall back again.

[box]

wmic product where "name like 'Forti%%'" call uninstall /nointeractive

[/box]

Now we can uninstall.

Related Articles, References, Credits, or External Links

NA

FortiClient Azure Authentication

FortiClient Azure KB ID 0001797

Problem

More and more people are using Azure as their primary identity provider, thanks in no small part to the massive success of Office/Windows 365. So if you want to provide a FortiGate/FortiClient SSL remote access VPN solution then securing it via Azure makes a lot of sense.

Multi Factor Authentication: If you have MFA on your Azure accounts then that’s a big box ticked for your accreditations and digital liability insurance also. This article does not cover enabling MFA in Azure, we are assuming you already have that enabled. I’ve covered that in other articles anyway, (use the search box above!)

Essentially your firewall will redirect authentication (via SAML) to Azure when you attempt to connect either via the web or tunnelled with the FortiClient.

Note: You can of course Use Azure MFA With Microsoft NPS (RADIUS) Server but this would require an additional server.

FortiClient Azure Authentication

FortiClient Azure Prerequisites

You will need an Azure subscription (a trial one is fine), obviously a FortiGate firewall, and a publicly signed certificate for the firewall (see below).

Note: Stop asking if you can use self signed certs – this one cost me six dollars! It needs to be publicly signed so Azure trusts it!

Add and Configure the FortiGate SSL VPN Application

From within your Azure tenancy, locate Enterprise applications and choose to add a new one.

Do a search for Forti and you should see the FortiGate SSL VPN application, select it.

In the setup single sign on  section, click ‘Get Started’.

Select SAML.

The ‘Vast Majority’ of the work that needs to be done will be done in here. In Section 1 (Basic SAML Configuration)  you will enter FOUR URLs (these URLs will reside on your FortiGate). 

Change the values in red to match your own publicly resolvable FQDN, (which will match the CN on your certificate).

Identifier (Entity-ID)

[box]

https://vpn.petenetlive.com/remote/saml/metadata

[/box]

Reply URL (Assertion Consumer Service URL)

[box]

https://vpn.petenetlive.com/remote/saml/login

[/box]

Sign on URL (Yes it’s the same as the one above!)

[box]

https://vpn.petenetlive.com/remote/saml/login

[/box]

Then scroll down.

Log out URL 

[box]

https://vpn.petenetlive.com/remote/saml/logout

[/box]

Then SAVE.

Section 2: Attributes and Claims, click edit.

Add a new claim.

Name = username, Source attribute = user.userprinciplename > Save.

Select the existing user.groups value > Change it to ‘All Groups’ > Tick ‘Customise the same of the group claim’ > Set the name to group > Save.

Note: It can take little while for the main page to refresh .

Section 3: SAML Signing Certificate. Download the Base64 version of the certificate.

Back on your FortiGate > System > Certificates > Import > Remote Certificate.

If you can’t see certificates click here.

Browse to and upload the certificate you just dowloaded.

Make a note of the certificate name, in this case it’s REMOTE_Cert_2 (You will need this later).

Section 4: Setup FortiGate SSL VPN. In this section there are three URLs that you need to take a copy of (they are used in the code block you will post into the FortiGate.

You now have all the elements you need to paste the following code block into your FortiGate, the following elements IN RED should be changed to match yours.

set-cert is the NAME that the FortiGate has given to its public cert, (mine’s the same as its common name, yours may be something else!)

entity-id, single-sign-on-url, and single-log-out-url are the URLs you pasted into section 1 (above).

idp-entity-id, idp-single-sign-on-url, and idp-single-log-out-url are the URLs you copied out of section 4 (above).

idp-cert is the NAME that the FortiGate has given to the cert you dowloaded from section 3 (above)

user-name and group-name are the attributes and claims you setup in section 2 (above).

[box]

config user saml
edit SSL-Azure-SAML
set cert vpn.petenetlive.com
set entity-id https://vpn.petenetlive.com/remote/saml/metadata
set single-sign-on-url https://vpn.petenetlive.com/remote/saml/login
set single-logout-url https://vpn.petenetlive.com/remote/saml/logout
set idp-entity-id https://sts.windows.net/de742342-edf0-49e7-8ca3-1402fddc17bc/
set idp-single-sign-on-url https://login.microsoftonline.com/de742342-edf0-49e7-8ca3-1402fddc17bc/saml2
set idp-single-logout-url https://login.microsoftonline.com/de742342-edf0-49e7-8ca3-1402fddc17bc/saml2
set idp-cert REMOTE_Cert_2
set user-name username
set group-name group
next
end

[/box]

Azure Groups

You will need a group in Azure created with the users that you wish to be able to authenicate into to the remote VPN. Take a copy of its Object ID (you will need that shortly).

With that object ID you can create a ‘Group’ on the FortiGate with the following code block

[box]

config user group
edit AAD-Remote-VPN
set member SSL-Azure-SAML
config match
edit 1
set server-name SSL-Azure-SAML
set group-name 02f047b1-8db2-4474-84df-21af6a16204c
next
end
next
end

[/box]

You will also need to add this group (In Azure) into the FortiGate SSL VPN application > users and groups > add user/group.

Click ‘None Selected” > Select your user group > Select.

Heed the warning! No nested groups, which is a little annoying, but you can’t say they didn’t warn you > Accept.

FortiGate SSL VPN

I’m going to use the basic settings to get this up and running, VPN > SSL VPN Settings > Listen on Interfaces (set to the outside facing interface (that the certificate name points to!) Server Certificate set to your publicly signed certificate > Scroll down.

Note: If you see a warning about not having configured SSL policy, dont worry we will fix that in a moment.

Create New.

Select the AAD user group (we created with the second code block) and set the Portal, (here I’m using full access so the remote client can use the web, or full tunnel options) > OK.

Policy & Objects > Firewall Policy > Create New.

Give the policy a sensible name > Incoming Interface will be SSL-VPN (Not outside!) > Outgoing interface is usually the inside (unless you have DMZs etc) > Source, add in All and your AAD-Group you created with the second code block above >  DISABLE NAT > Scroll down.

Change Logging to ‘All sessions’ (Note: once fully deployed, you can change this to security events) > OK.

Note: It may error at this point if the portal you have chosen, (in this case full-access) has split tunnelling enabled, you can either disable split tunnelling on the portal, or change All in the destination section to a particular subnet on the the LAN).

Testing Forti Web SSL With Azure

From an external client connect the web address of your FortiGate, all being well it should redirect you to Azure, (or your ADFS portal if you use ADFS).

Provision authentication is successful, you should see something like this.

Testing FortiClient Azure SSL VPN With Azure

Install the FortiClient, (here I’m using the VPN only version). Give the connect a sensible name > Set the gateway to your public FQDN, and tick ‘Enable Single Sign On (SSO) for VPN Tunnel > Save.

SAML Login

After your Microsoft authentication prompt appears, the client should connect successfully.

Related Articles, References, Credits, or External Links

Microsoft: Azure AD SSO with FortiGate

Fortinet: Configuring SAML SSO login for SSL VPN

FortiClient SSL VPN Error

VPN Error KB ID 0001795

Problem

I have a FortiGate/FortiClient test bench setup for testing, and its to been used for a while. When I attempted to use it this happened;

Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)

While messing around trying to fix it I also got this error;

Unable to establish the VPN connection. The VPN server may be unreachable. (-14)

Disclaimer: That second error can also be caused if the FortiClient is unlicensed (which you can clearly see, it is.) So this might be a red herring.

VPN Error: Solution

This took ages for me to fix. The common consensus is this is usually caused by a setting in the machines internet properties. Open an administrative command windows and run inetcpl.cpl The firs this I was asked to do was  > Advanced  >  Reset > Tick Delete Personal Settings > Reset.

Security > Trusted Sites (set slider to Medium) > Sites > Add in the URL my FortiClient was trying to reach, (yours will be a public IP or DNS name)  > Close.

Advanced Tab > Security > Tick Use SSL 3.0  > Apply > OK.

In my case all of these DID NOT solve my problem, I’ve seen strange errors with LDAP username and passwords, so I made sure the firewall could ping the FQDN of the LDAP server, and it successfully authenticated me (I’ve seen the GUI auth test work, and the command line one fail in the past).

Then I debugged the SSL VPN and got the following error;

Removed for tunnel connection setup timeout.

In the end I changed TWO things and it started to work. Firstly I uninstalled the FortiClient, and installed the latest version.

Secondly I looked at my SSL VPN Settings and noticed the group was set to a firewall group and NOT my LDAP (Active Directory) group. which I changed.

Other possible fixes I found on my trawl – that were not applicable to me;

  • Active Directory User Account (Account or Password Expired)
  • Theres no firewall policy for the SSL VPN Traffic (See this article).
  • Your AD password is using some ‘Odd Characters“, (test with an alphameric password).
  • Your AD user has “user must change the password on next login” enabled.
  • You’re trying to cone too eh SSL VPN fro BEHIND the FortiGate (not outside).

So this seems like a very generic error. If you come up with a different fix, or one that didn’t work for me, but worked for you. Please take the time to post below to help the next technical traveller.

Related Articles, References, Credits, or External Links

NA

FortiClient: Unlicensed VPN access is available until..

KB ID 0001745

Problem

I got an email from a client I deployed SSL VPN for, (a couple of weeks ago), one of his users was seeing this;

 

Unlicensed VPN access is available until {Date} {Time}

Solution: Unlicensed VPN access is available until…

At first I was confused, unlike other vendors SSL VPN is not a licensed requirement? As it turns out in my instructions, I’d written ‘Download the Forticliet” when I should have said ‘scroll to the bottom and download the ‘FortiClient VPN’ version’.

That will teach me!

Related Articles, References, Credits, or External Links

NA

FortiGate: SSL-VPN With FortiClient (AD Authenticated)

KB ID 0001725

Problem

FortiGate Remote Access (SSLVPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like;

Note: I’ve changed the FortiGates default management HTTPS port from 443 to 4433 (before I started). This was to let me use the proper HTTPS port of 443 for remote access SSL VPN. I suggest you also do this, as running SSL-VPN over an ‘odd’ port may not work from some locations. See the following article;

FortiGate: Change the HTTPS Management Port

Certificate: I’m also using a self signed certificate on the FortiGate, in a production environment you may want to purchase a publicly signed one!

Step 1: FortiGate LDAPS Prerequisites

Before we start, we need to make sure your firewall can resolve internal DNS. (Because the Kerberos Certificate name on your Domain Controller(s) gets checked, when doing LDAPS queries, if you DON’T want to do this then disable server identity check when you setup your LDAP server below). Or you can add the IP address to the servers Kerberos certificate as a ‘Subject Alternative Name‘ but thats a bit bobbins IMHO

Network > DNS > Specify > Add in your ‘Internal” DNS servers > Apply.


Certificate Prerequisites

To perform LDAPS the FortiGate needs to trust the certificate(s) that our domain controller(s) use. To enable that you need a copy of the CA Certificate, for the CA that issued them. At this point if  you’re confused, you might want to run through the following article;

Get Ready for LDAPS Channel Binding

So to get a copy of your CA cert on a Windows CA server use the following command;

[box]

certutil -ca.cert My-Root-CA-Cert.cer

[/box]


To ‘Import‘ the certificate into the Fortigate > System > Certificates > Import > CA Certificate.

File > Upload > Browse to your CA Certificate > Open > OK.

Take note of the certificate name, (CA_Cert_1 in the example below,) you will need this information below.

Step 2: Allow FortiGate LDAPS Authentication (Active Directory)

User & Authentication > LDAP Servers > Add.

  • Name: Something Sensible!
  • Server IP/Name: Use the FQDN of the server (or you need to put the IP on the Kerberos certificate as a SAN!)
  • ServerPort: 636 (We’re not using 389 LDAP is NOT secure!)
  • Common Name Identifier: sAMAccountName
  • Distinguished Name: Enter the DN for either the top level of your domain or an OU that’s got all your users/groups in.
  • Bind Type: Regular.
  • Username: in DOMAIN\username format Note: A normal domain user account is sufficient it DOES NOT need to be a domain administrator.
  • Password: For the above user.
  • Secure Connection: LDAPS.
  • Certificate: Select YOUR CA Certificate.
  • Server Identity Check: Enabled.

Click ‘Test Connectivity‘ It should say successful, then you can check some other domain user credentials as a test > OK.

Domain / Active Directory Setup

Over in my Active Directory I’ve created a security group called GS-VPN-Users, and put my user object into it.

Now I need to create a FIREWALL GROUP and add my ACTIVE DIRECTORY GROUP to that. User & Authentication > User Groups > Create New.

  • Name: Something sensible!
  • Type: Firewall

Remote Groups > Add.

Change the Remote Server drop down list to be your LDAPS Server > Browse to your ACTIVE DIRECTORY GROUP, right click and Add Selected (Cheers, that took me three goes to find FortiNet!) > OK.

All being well you should see your LDAPS server AND the distinguished name of your AD group, (check that’s not missing!) > OK.

Step 3: Setup FortiGate SSL-VPN

First we need an SSL Portal > VPN  > SSL-VPN Portals > Create New.

  • Name: Something sensible!
  • Enable Split Tunnelling: Enabled. (If you don’t do this then remote clients need to come though the FortiGate for web access, I usually enable split tunnel).
  • Source IP Pools: Add Then Create.

Address.

  • Name: Something sensible!
  • Type: IP Range
  • IP Range: The subnet you want to use. (Note:If you are routing on your LAN, make sure there’s a route back to the FortiGate for this subnet or bad things will happen!)
  • Interface: SSL-VPN tunnel interface

OK.

Enter a portal message, (the header on the page once a remote user connects)  > Enable FortiClient download > OK.

If you see the following error, that’s because on some smaller firewalls, (like the 40F) there can only be one, so you need to edit the one that is there by default.

Maximum number 0f entries has been reached.

FortiGate SSL-VPN Settings

VPN  > SSL-VPN Settings > Listen on Interfaces.

Set to the outside (WAN) interface > Address Range > Specify custom IP Ranges > IP Ranges > Add in the pool you created above.

DNS Server > Specify > Add in your internal DNS servers > Authentication Portal Mapping > Create New.

  • Users/Groups: Your AD GROUP.
  • Portal: Your Portal

OK.

Apply (Note: If it complains ‘All Other User/Group‘ is not configured, set that to  web-access (as shown).

FortiGate SSL-VPN Firewall Policy

Policy & Objects > Firewall Policy (or IPV4 Policy on older versions) > Create New.

  • Name: Something sensible.
  • Incoming Interface: SSL-VPN Tunnel Interface.
  • Outgoing Interface: Inside (LAN).
  • Source: Your remote IP Pool AND your FIREWALL GOUP.
  • Destination: Local LAN (remember if you want DMZ access, add that in also)
  • Schedule: Always
  • Action: Accept
  • NAT: Disabled

  • Generate logs when session starts: Enabled 

OK.

Step 4: Test FortiGate SSL-VPN

From your remote client, browse to the public IP/FQDN of the firewall and log in, you should see the SSL-VPN portal you created, and have the option to download the FortiClient (VPN) software for your OS version.

Install the FortiClient (Note: This is only the VPN component not the full FortiClient).

Remote Access > Configure VPN.

  • VPN: SSL-VPN.
  • Connection Name: Something sensible.
  • Remote Gateway: IP or FQDN of the FortiGate.
  • Authentication: Prompt on Logon (unless you want it to remember).
  • Do not warn invalid Server Certificate: Enabled (Unless you are using a publicly signed certificate on your FortiGate).

Save.

Then test connection, make sure you can ping internal IP addresses and DNS names.

Related Articles, References, Credits, or External Links

NA