1. Creating the User and User Group on FortiAuthenticator

From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New.

Enter a name for the user (in the example, jgarrick), enter and confirm a password, and be sure to disable Allow RADIUS authentication — RADIUS authentication is not required for this recipe.

Set Role as User, and select OK. New options will appear.

Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.

Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group.

2. Creating the LDAP Directory Tree on FortiAuthenticator

Go to Authentication > LDAP Service > Directory Tree, and create a Distinguished Name (DN) (in the example, dc=fortinet,dc=com). A DN is made up of Domain Components (DC).

Both the users and the user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP Directory Tree.

Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for each user.

If you mouse over one of the users, you will see the full DN of the LDAP server.

Later, you will use jgarrick on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and you will use bwayne credentials to connect to the VPN tunnel.

3. Connecting the FortiGate to the LDAP Server

From the FortiGate GUI, go to User & Device > Authentication > LDAP Servers, and select Create New.

Enter a name for the LDAP Server connection.

Set Server IP/Name as the IP of the FortiAuthenticator, and set the Common Name Identifier as uid.

Set the Distinguished Name as dc=fortinet,dc=com, and set the Bind Type to Regular.

Next, enter the User DN of the LDAP server, and enter the Password.

The User DN is an account that the FortiGate uses to query the LDAP server.

Select Fetch DN to determine a successful connection. If successful, a dropdown menu will appear showing the LDAP Tree, dc=fortinet,dc=com.

4. Creating the LDAP User Group on the FortiGate

Go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

Select LDAPserver under the Remote Server dropdown.

In the new Add Group Match window, select HeadOffice under the Groups tab, and select Add Selected, then click OK.

5. Configuring the SSL VPN

From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Select the prompt at the top of the screen to create a new SSL-VPN policy.

Set Source User(s) to the LDAPgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

6. Results

From a remote device, access the SSL VPN Web Portal.

Enter valid LDAP credentials (in the example, bwayne).

‘bwayne’ is now successfully logged into the SSL VPN Portal.

From the FortiGate GUI, go to VPN > SSL > Monitor to confirm the connection.

1. Creating the LDAP user group

From the FortiGate GUI, go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

Select the LDAP server under the Remote Server dropdown.

In the new Add Group Match window, select the desired group under the Groups tab, select Add Selected, and click OK.

2. Configuring the SSL VPN

Go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Authentication/Portal Mapping, select Create New.

Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

3. Creating the security policies for VPN access to the Internet

Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy.

Set Source User(s) to the LDAPgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

If it is not already available, create another policy allowing internal access to the Internet.

4. Results

The SSL VPN settings will appear. Set Server to the IP of the FortiGate (in the example, 172.20.121.56), and set the Port to 10443.

Set Username to the desired LDAP user (in the example, bwayne), and set the user’s password.

Return to FortiClient’s list of VPN Tunnels, and connect to the newly created SSL VPN.

If prompted, enter valid LDAP credentials.

Creating an LDAP Profile

To create an LDAP profile

1. Go to Phone System > Profiles > LDAP.
2. Select New to add a profile or double-click an existing profile to modify it.
3. Enter the necessary information. If you require detailed information on any of the sections consult the FortiVoice Online Help or the FortiVoice Enterperise Phone System Administration Guide.
4. Select Create.

Configuring the Active Directory on MS Server 2012

Once you have created and configured your LDAP profile, you can configure MS Server 2012

1. Open Active Directory Users and Computers.
2. Go to Start > Control Panel.
3. Double-click Administrator Tools and then double-click Active Directory Users and Computers.
4. Go to Active Directory Users and Computers and select the domain node and Users folder. In the example, the domain node is fv.qa and the user name is admin_user1.

Creating an LDAP Profile

To create an LDAP profile

1. Go to Phone System > Profiles > LDAP.
2. Select New to add a profile or double-click an existing profile to modify it.
3. Enter the necessary information. If you require detailed information on any of the sections consult the FortiVoice Online Help or the FortiVoice Administrator Guide.
4. Select Create.

Applying the LDAP Profile to Extension

Once you have creatied and configured your LDAP profile, you can now apply the LDAP profile to extension

1. Go to Extensions > Extensions > IP extensions and select New.
2. Select LDAP for Authentication type.
3. Select the profile created in the previous step in the LDAP profile selection.
4. Leave the Authentication ID field empty.

Configuring the Active Directory on MS Server 2012

Once you have creatied and configured your LDAP profile, you can now configure MS Server 2012

1. Open Active Directory Users and Computers.
2. Go to Start > Control Panel.
3. Double-click Administrator Tools and then double-click Active Directory Users and Computers.
4. Go to Active Directory Users and Computers and select the domain node and Users folder. In the example, the domain node is fv.qa and the user name is fortivoice_test1.
5. Right-click the fortivoice_test1 and select Properties.
6. Select General and enter 2001 (extension number) in the Telephone number field.

1. Integrating the FortiGate with the Windows DC LDAP server

2. Installing FSSO agent on the Windows DC server

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced Access method.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

3. Configuring Single Sign-On on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server.

Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS Writers” group is used.

4. Adding a user group to the FortiGate

Go to User & Device > User Groups to create a new FSSO user group.

Under Members, select the “FortiOS Writers” group.

5. Adding a policy to the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_Writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

9. Results

diagnose debug authd fsso list

----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

From the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Have users go to the Internet and the security profiles will be applied accordingly.

Go to Log & Report > Forward Traffic to verify the log. 

 1. Configuring an LDAP directory on the FortiAuthenticator

Go to Authentication > User Management > Local Users to create a user list. Make sure to enable Allow LDAP browsing.

Go to Authentication > User Management  > User Groups to create a user group and add users to it. “FortiOS_Writers”  user group is used in this example.

Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.

2. Integrating the FortiGate with the FortiAuthenticator

3. Installing FSSO agent on the Windows DC

Accept the license and follow the Wizard.

Enter the Windows AD administrator password.

Select the Advanced access method for Windows Directory.

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password which will be used in step 4.

 4. Configuring Single Sign-On on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server. In the Primary Agent IP/Name field, enter the Collector Agent IP Address used in step 3. Likewise, enter the Password required for authentication.

Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS_Writers” group is used.

5. Adding a user group to the FortiGate

Go to User & Device > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”).

6. Adding a policy to the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_Writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

 7. Results

diagnose debug authd fsso list

----FSSO logons----
IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers
IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

Upon successful authentication, from the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Go to Log & Report > Forward Traffic to verify the log. 

 1. Configuring the FortiAuthenticator

Go to Fortinet SSO Methods > SSO > General and configure these general settings.

Go to Fortinet SSO Methods > SSO > Domain Controllers and add the Windows DC to the FortiAuthenticator.

Go to Authentication > Remote Auth. Servers > LDAP to set the Windows AD as an LDAP server. This will be useful to import SSO Filtering Objects from Windows AD to the FortiAuthenticator.

Go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate Filter.

Under Fortinet Single Sign-On (FSSO), enable Forward FSSO information for users from the following subset of users/groups/containers only.

Under SSO Filtering Objects, select Import. In the Remote LDAP Server field, select the LDAP server created in the previous step (WinLDAP in this example) and select Apply.

Next, select groups or containers to be imported, controlled, and monitored by the FortiAuthenticator. In this example, the “FortiOS Writers” user group is selected.

 2. Configuring SSO on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server.

In the Type field, select Fortinet Single-Sign-On Agent and set the Name, the Primary Agent IP/Name, the Password and select Apply & Refresh.

When selecting the Users/Groups field, the SSO user groups initially polled by the FortiAuthenticator from the Domain Controller appear.

In this example, only the “FortiOS Writers” group appears because of the FortiGate Filtering configuration in the previous step.

3. Creating a user group on the FortiGate

Go to User & Device > User Groups and create a new Fortinet Single Sign-On (FSSO) user group. Under Members, select the user group to be monitored. In this example only “FortiOS Writers” appears because of the FortiGate Filtering configured earlier.

4. Adding a policy on the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

 5. Results from the FortiAuthenticator

Have users log on to the domain.

Go to Monitor > SSO > SSO Sessions to verify SSO sessions.

You can also verify FSSO users in the User Inventory widget under System > Dashboard > Status.

 6. Results from the FortiGate

Upon successful authentication, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Have authenticated users navigate the Internet. Security profiles will be applied accordingly. 

Go to Log & Report > Forward Traffic to verify the log. 

Configuring an LDAP Profile

The LDAP submenu lets you configure LDAP profiles which can query LDAP servers for authentication.

IMPORTANT: Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended phone call processing behaviors can result. 

To configure an LDAP profile

1. Go to Phone System > Profiles > LDAP.
2. Select New or double-click an existing profile to modify it.
3. Enter the profile name, and server name. The fallback server name is optional.
4. Select whether or not to connection to the LDAP servers using an encrypted connection from the Use secure connection dropdown menu. 
5. Enter a distinguished name of the part of the LDAP directory tree within which the FortiVoice unit will search for user objects
6. Enter the bind DN. This field is optional if your LDAP server does not require the FortiVoice unit to authenticate when performing queries.
7. Enter the password of the Bind DN.

Configuring User Authentication Options for the LDAP Profile

With the basic settings of the LDAP profile configured, you can now customize the user authentication options. Select the arrow button to expand the User Authentication Options section.

1. Select Try common name with base DN as bind DN and enter a common name ID. If this is your selection, you are finished with the user authentication options.
2. Select Search user and try bind DN.
3. Select your desired schema style. If your LDAP server uses any other schema style, select User Defined, then manually configure the query string.
4. Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects.
5. Select which level of depth to query from the scope dropdown menu.
6. Select the Derefer method to use, if any, when dereferencing attributes whose values are references.

Configuring Advanced Options

With the authentication settings completed, we can now configure some advanced options. Select the arrow button to expand the Advanced Options section.

1. Enter the maximum amount of time in seconds that the FortiVoice unit will wait for query responses form the LDAP server.
2. Select the Protocol version from the dropdown menu.
3. Enable cache.
4. Enter the amount of time in minutes that the FortiVoice unit will cache query results. After the TTL has elapsed, cached results expire and any subsequent requests for the information causes the FotiVoice unit to query the LDAP server, refreshing the cache.
5. Enable user password change
6. Select your LDAP server’s user schema style from the dropdown menu.
7. Select Apply.

Once you have finished creating an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiVoice unit connects to the LDAP server, the the LDAP directory contains the required attributes and values, and the query configuration is correct.

Once you are finished testing, configure User Privileges. For more information on configuring user privileges, see the corresponding chapter in the FortiVoice Enterprise Administrator Guide.

1. Exporting the LDAPS Certificate in Active Directory (AD)

Open the Command Prompt, type mmc and hit enter. Select File and then click Add/Remove Snap-in. Select Certificates and then click Add. In Certificates snap-in select Computer account and then click Next.

In Select Computer, if you are working at the LDAP server requiring the certificate, select Local. Otherwise, select Another computer and click Browse to locate the LDAP server requiring the certificate. Once you have the correct computer selected, click OK and then click Finish.

In the console tree, expand Certificates (<computer>). In the certificates console of a computer that contains a certificate that can be used for Server Authentication, right-click the root certificate, click All Tasks, and then click Export.

On the Certificate Export Wizard welcome screen, click Next. On the Export Private Key screen, select No, then click Next. 

On the Export File Format screen, select DER.

On the File to Export screen, enter a path, file name, and .cer file extension in the File name box and then click Next. Confirm the settings on the completion screen and then click Finish. You should see a pop-up message indicating that the export was successful. Click OK.

2. Importing the LDAPS Certificate into the FortiGate

Go to System > Config > Features, and enable Certificates.

Go to System > Certificates and select Import > CA Certificate. Select Local PC and Choose File, then browse for certificate file and click OK.

The Name under External CA Certificates now shows as LDAPS-CA.

3. Creating the LDAPS Server object in the FortiGate

User DN must have server administrator access.

4. Results