Authenticating SSL VPN users using LDAPThis example illustrates how to configure a FortiGate to use LDAP authenticationto authenticate remote SSL VPN users. With a properly configured LDAP server,user and authentication data can be maintained independently of the FortiGate,accessed only when a remote user attempts to connect through the SSL VPNtunnel.This recipe assumes that the LDAP server is already configured.1. Registering the LDAP server on the FortiGate2. Importing LDAP users3. Creating the SSL VPN user group4. Creating the SSL address range5. Configuring the SSL VPN tunnel6. Creating security policies7. ResultsLDAPid: twhitepw: ********Web ModeSSLTunnel ModeRemote UserFortiGateInternal Network
Registering the LDAP serveron the FortiGateGo to User & Device Authentication LDAP Servers and select Create New.Enter the LDAP Server’s FQDN or IP inServer Name/IP. If necessary, change theServer Port Number (the default is 389.)Enter the Common Name Identifier. MostLDAP servers use “cn” by default.In the Distinguished Name field, enter thebase distinguished name for the server, usingthe correct X.500 or LDAP format.Set the Bind Type to Regular, and enterthe LDAP administrator’s distinguished nameand password for User DN and Password.Importing LDAP usersGo to User & Device User UserDefinition, and create a new user, selectingRemote LDAP User.Choose your LDAP Server from thedropdown list.You will be presented with a list of useraccounts, filtered by the LDAP Filter toinclude only common user classes.If you are using a different objectClass toidentify users on your LDAP server, editthe filter to show them in the list.
Select the users you want to register asusers on the FortiGate, and select Next.Confirm that the user information has beenimported properly, and select Done.Creating the SSL VPN usergroupGo to User & Device User UserGroups, and create an LDAP user group.Add all of the user accounts imported fromLDAP to the Members list.If you have already configured user groupson the LDAP server, you can use theRemote Groups menu to import them.Creating the SSL addressrangesGo to Firewall Objects Addresses Addresses, and create a new address.Set the Type to IP Range, and in theSubnet/IP Range field, enter the range ofaddresses you want to assign to SSL VPNclients. Select Any as the Interface.Then create another Address for each Subnetor IP Range within your internal network towhich remote users will connect.
Configuring the SSL VPNtunnelGo to VPN SSL Portal, and select theplus icon in the upper right to create a newSSL Portal configuration.Enable Tunnel Mode, and enable SplitTunneling. For the IP Pool, select theaddress range you created. Enable WebMode, and set the options as desired.Enable Include Bookmarks, and create abookmark to access a internal network PC.In this example, the bookmark is an RDPconnection, for remote desktop access.By default, SSL authentication expiresafter 28800 seconds (8 hours). This limitcan be changed in the CLI:config vpn ssl settingsset auth-timeoutCreating security policiesYou will need to create two policies to handleweb mode and tunnel mode SSL traffic.Go to Policy Policy Policy, and createa new VPN policy to allow the SSL trafficthrough to the internal network.Set the Incoming Interface to yourInternet-facing interface, your RemoteAddress to all, your Local Interface to yourinternal network interface, and for the LocalProtected Subnet, select the networkaccess addresses you created.
Under Configure SSL-VPN AuthenticationRules, select Create New to create a newrule to govern SSL traffic.Set the Group to your SSL VPN group,select your LDAP user as User, and selectyour SSL-VPN Portal from the list.Configure the logging and security profiles asneeded.Return to the policy list, and select CreateNew again, to create the tunnel mode firewallpolicy. Leave the Type as Firewall, and theSubtype as Address.Set the Incoming Interface to the SSL VPNtunnel interface. Set the Source Addressto the VPN users address range. Set theOutgoing Interface to the internal networkinterface, and set the Destination Addressto the internal network addresses that SSLusers will need to reach.Enable NAT, and configure logging andsecurity policies as needed.
ResultsLog into the SSL portal using the LDAP usercredentials. The FortiGate will automaticallycontact the LDAP server for verification.The FortiGate unit performs the host check.After the check is complete, the SSL portalappears.
Select a bookmark, such as the RDP link, tobegin an RDP session, and connect to a PCon the internal network.Go to VPN Monitor SSL-VPN to verifythe list of SSL users. The Web Applicationdescription indicates that the user is usingweb mode.Go to Log & Report Traffic Log Forward Traffic to see details about SSLtraffic.
In the Tunnel Mode widget, select Connectto enable the tunnel.Select the RDP bookmark to begin an RDPsession.Go to VPN Monitor SSL-VPN to verifythe list of SSL users. The Tunnel descriptionindicates that the user is using tunnel mode.
Under Configure SSL-VPN Authentication . Rules, select Create New to create a new rule to govern SSL traffic. Set the . Group to your SSL VPN group, select your LDAP user as User, and select your SSL-VPN Portal from the list. Configure the logging and security profiles as needed. Return to the policy list, and select Create . New again, to create the tunnel mode firewall