FortiGate: SSL-VPN With FortiClient (AD Authenticated)

KB ID 0001725

Problem

FortiGate Remote Access (SSLVPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like;

Remote SSL-VPN with FortiClient

Note: I’ve changed the FortiGates default management HTTPS port from 443 to 4433 (before I started). This was to let me use the proper HTTPS port of 443 for remote access SSL VPN. I suggest you also do this, as running SSL-VPN over an ‘odd’ port may not work from some locations. See the following article;

FortiGate: Change the HTTPS Management Port

Certificate: I’m also using a self signed certificate on the FortiGate, in a production environment you may want to purchase a publicly signed one!

Step 1: FortiGate LDAPS Prerequisites

Before we start, we need to make sure your firewall can resolve internal DNS. (Because the Kerberos Certificate name on your Domain Controller(s) gets checked, when doing LDAPS queries, if you DON’T want to do this then disable server identity check when you setup your LDAP server below). Or you can add the IP address to the servers Kerberos certificate as a ‘Subject Alternative Name‘ but thats a bit bobbins IMHO

Network > DNS > Specify > Add in your ‘Internal” DNS servers > Apply.


Add Internal DNS Server Fortigate

Certificate Prerequisites

To perform LDAPS the FortiGate needs to trust the certificate(s) that our domain controller(s) use. To enable that you need a copy of the CA Certificate, for the CA that issued them. At this point if  you’re confused, you might want to run through the following article;

Get Ready for LDAPS Channel Binding

So to get a copy of your CA cert on a Windows CA server use the following command;

certutil -ca.cert My-Root-CA-Cert.cer


Windows Export CA Certificate

To ‘Import‘ the certificate into the Fortigate > System > Certificates > Import > CA Certificate.

Fortigate upload CA Certificate

File > Upload > Browse to your CA Certificate > Open > OK.

Fortigate Import CA Certificate

Take note of the certificate name, (CA_Cert_1 in the example below,) you will need this information below.

Fortigate Get Name CA Certificate

Step 2: Allow FortiGate LDAPS Authentication (Active Directory)

User & Authentication > LDAP Servers > Add.

Add LDAPS Server Fortigate

  • Name: Something Sensible!
  • Server IP/Name: Use the FQDN of the server (or you need to put the IP on the Kerberos certificate as a SAN!)
  • ServerPort: 636 (We’re not using 389 LDAP is NOT secure!)
  • Common Name Identifier: sAMAccountName
  • Distinguished Name: Enter the DN for either the top level of your domain or an OU that’s got all your users/groups in.
  • Bind Type: Regular.
  • Username: in DOMAIN\username format Note: A normal domain user account is sufficient it DOES NOT need to be a domain administrator.
  • Password: For the above user.
  • Secure Connection: LDAPS.
  • Certificate: Select YOUR CA Certificate.
  • Server Identity Check: Enabled.

Click ‘Test Connectivity‘ It should say successful, then you can check some other domain user credentials as a test > OK.

Create LDAPS Server Fortigate

Domain / Active Directory Setup

Over in my Active Directory I’ve created a security group called GS-VPN-Users, and put my user object into it.

Fortigate AD Group Authentication

Now I need to create a FIREWALL GROUP and add my ACTIVE DIRECTORY GROUP to that. User & Authentication > User Groups > Create New.

Fortigate AD LDAPS Groups

  • Name: Something sensible!
  • Type: Firewall

Remote Groups > Add.

Fortigate Firewall Group

Change the Remote Server drop down list to be your LDAPS Server > Browse to your ACTIVE DIRECTORY GROUP, right click and Add Selected (Cheers, that took me three goes to find FortiNet!) > OK.

Fortigate Add AD Group to Firewall Group

All being well you should see your LDAPS server AND the distinguished name of your AD group, (check that’s not missing!) > OK.

Fortigate Remote VPN with AD Groups

Step 3: Setup FortiGate SSL-VPN

First we need an SSL Portal > VPN  > SSL-VPN Portals > Create New.

  • Name: Something sensible!
  • Enable Split Tunnelling: Enabled. (If you don’t do this then remote clients need to come though the FortiGate for web access, I usually enable split tunnel).
  • Source IP Pools: Add Then Create.

Fortigate Source IP Pools

Address.

Fortigate Source IP Pools Address

  • Name: Something sensible!
  • Type: IP Range
  • IP Range: The subnet you want to use. (Note:If you are routing on your LAN, make sure there’s a route back to the FortiGate for this subnet or bad things will happen!)
  • Interface: SSL-VPN tunnel interface

OK.

Fortigate VPN IP Pools Address

Enter a portal message, (the header on the page once a remote user connects)  > Enable FortiClient download > OK.

Fortigate VPN IP Pools Address

If you see the following error, that’s because on some smaller firewalls, (like the 40F) there can only be one, so you need to edit the one that is there by default.

Maximum number 0f entries has been reached.

SSL Maximum number of entries has been reached

FortiGate SSL-VPN Settings

VPN  > SSL-VPN Settings > Listen on Interfaces.

Fortigate SSL-VPN Settings

Set to the outside (WAN) interface > Address Range > Specify custom IP Ranges > IP Ranges > Add in the pool you created above.

Fortigate SSL-VPN Interface

DNS Server > Specify > Add in your internal DNS servers > Authentication Portal Mapping > Create New.

Fortigate SSL-VPN DNS and Portal Mapping

  • Users/Groups: Your FIREWALL GROUP.
  • Portal: Your Portal

OK.

Apply (Note: If it complains ‘All Other User/Group‘ is not configured, set that to  web-access (as shown).

Fortigate Remote Access VPN

FortiGate SSL-VPN Firewall Policy

Policy & Objects > Firewall Policy (or IPV4 Policy on older versions) > Create New.

Fortigate SSL-VPN Firewall Policy

  • Name: Something sensible.
  • Incoming Interface: SSL-VPN Tunnel Interface.
  • Outgoing Interface: Inside (LAN).
  • Source: Your remote IP Pool AND your FIREWALL GOUP.
  • Destination: Local LAN (remember if you want DMZ access, add that in also)
  • Schedule: Always
  • Action: Accept
  • NAT: Disabled

Fortigate SSL-VPN No NAT

  • Generate logs when session starts: Enabled 

OK.

Fortigate SSL-VPN Logging

Step 4: Test FortiGate SSL-VPN

From your remote client, browse to the public IP/FQDN of the firewall and log in, you should see the SSL-VPN portal you created, and have the option to download the FortiClient (VPN) software for your OS version.

Download FortiClient

Install the FortiClient (Note: This is only the VPN component not the full FortiClient).

Install FortiClient

Remote Access > Configure VPN.

  • VPN: SSL-VPN.
  • Connection Name: Something sensible.
  • Remote Gateway: IP or FQDN of the FortiGate.
  • Authentication: Prompt on Logon (unless you want it to remember).
  • Do not warn invalid Server Certificate: Enabled (Unless you are using a publicly signed certificate on your FortiGate).

Save.

Configure FortiClient

Then test connection, make sure you can ping internal IP addresses and DNS names.

Connect FortiClient SSL-VPN

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

6 Comments

  1. Hey Pete, this is a great summary of the configuration! Much cleaner than the cookbook.

    One point I’d make is the management port shouldn’t need to be changed in all cases.

    Assuming you don’t need FortiClient support on internal interfaces or management of the firewall on public interfaces you should be fine. This isn’t true for everyone, but worth considering as non-default ports aren’t fun to remember.

    Post a Reply
    • Hi Cody,
      Yeah agreed, my background is in supporting multiple customers/businesses remotely, so perhaps I’m a little blinkered in that respect 🙂 But you are correct.

      P

      Post a Reply
  2. Hi Peter. This article has helped me a lot and managed to configure an LDAPS connection without problems, but I have the following problem. When I want to connect to the vpn ssl through Forticlient, I get the following error message: Unable to logon to the server. Your user name or password may not be configured properly for this connection (-12).

    I have confirmed that the credentials that I enter are correct, in fact when I do the connection test on the LDAPS server. the results are successful. Is there anything else that I need to verify?

    As additional information, I am enabling this new LDAPS connection in my Firewall, but currently I have LDAP servers (port 389) and users can connect without problems.

    Post a Reply
    • I have seen similar things where LDAPS appears to be working and it wont authenticate – drop to command line on the FortiGate and test the same credentials. You will get a better Idea of whether LDAPS is actually working!

      like so https://www.petenetlive.com/kb/article/0001733

      Post a Reply
      • Hi Pete!! Thank you for your reply!

        I was reviewing the article and according to your publication, I can confirm that steps 1 and 2 would be correct; The CA certificate was issued by the same LDAPS server and from the firewall console I can ping and get a response by putting the name of the LDAPS server. However, I still have authentication problems when I do it from the console. I get the impression that I should review option number 3, that is, the server’s IP address must be in the certificate as Subject Alternative Name (SAN). I will try to review that and I will be publishing any news here!

        Regards!

        Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *