FortiGate SSL VPN (With AD/LDAPS Authentication)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] so here is my fortinet firewall it's a virtual firewall that i have got running in even g you can see here's my desktop here there's the firewall itself i've got some windows servers set up behind that and the domain and i also have a remote client that i'm going to be attempting to ssl vpn into the network from here's a slightly prettier picture to let you know what we're trying to achieve so the first thing i would like to do is to change the management port for the from the firewall we're managing it from outside anyway and if the https management port is on tcp 443 is is by default and that's going to start fighting with your ssl vpn so i'm just going to change the management port for the outside of the firewall to 4433 and now i'm going to reconnect and as you can see i'm now connect to the management front end of the firewall from out from outside on three three rather than the default https port of four four three another thing that we're gonna need to set up is the dns or where the firewall is looking up it's dns because we're going to use ldaps so we're going to need to have to resolve the name on the certificates or kerberos certificates on our domain controllers so we need to resolve our internal host names so i'm putting my internal dns service in there now i'm going to jump onto my windows server and i am going to extract the ca certificate because that's almost also my certificate services server because i need to import that certificate onto my thought again the reason why we're going to be doing that is so that the firewall will trust certificates that have been issued by that ca server namely the kerberos server or the domain controller that we're going to be doing using ldap s lookups on we've got system certificates and we're going to import this certificate select ca certificates file upload and that certificate the certificate that i just exported on my windows box click open okay now you will see it it's come up on the bottom screen there remote see here says take a note of what the name is see here underscore search unscrolled one because you're going to need that in a minute so now that we've got all the prerequisites set up for ldap i'm going to create an ldap server which will be my active directory server says my dc now put in the fqdn of the server rather than the ip address if you put the ip address in then the ip address has to exist on the digital certificate of the server which it does not by default and we're not using part 3 at nine we're using port six three six because that's ldap s and it's more secure i'm gonna change the common name identifier to sam account name and i'm gonna put in the distinguished name of the top level of my domain now you can put in a an all you where all your users groups are going to be below that if you want to but i'm just going to put the top level of my domain in there it's not an exchange server i want to perform a regular bind which means i need an active directory username and password to be able to bind to active directory now this doesn't have to be a domain administrator or anything special just a normal run-of-the-mill domain user and i've got one set up for this purpose called lws user i want a secure connection i want to use ldap s and i want to use that certificate and if you go in the drop down this is ysta take a note of the name of the certificate you can see select it out of the list test connectivity and that says connected now just as an extra built in braces you can put in a username and password from your active directory and just test authentication works against you to make controllers yep and there is my ldap server ready now back in my active directory i'm going to create an active directory security group that i'm going to put the users into that i want to be able to access the remote access ssl vpn so i'm just going to create a normal global security group in that directory call it gs vpn users and i'm going to put in my domain user object into that group just for testing okay so back on the firewall i'm now going to create create a firewall group i'm going to call that fw vpn users now enter the firewall group i'm going to put that active directory group might seem a little bit convoluted but this is the way it needs to be done so i'm going to add in a remote group under remote server select the ldap s server that i've just created and if i drill down into my active directory there's my group there you need to right click add selected double clicking doesn't work to make sure that you've got it correct you should see your lws server there and then the distinguished name of your active directory group in there that's where you know that it's worked properly click ok there you can see i've got my firewall group already configured so i've got a vpn ssn vpn profile i'm going to create a profile to connect to give it a sensible name i'm going to leave split tunnel in the enabled source ip pools this is a pool of ip addresses it's going to get allocated to your remote clients when they connect give it a sensible name and then set the type to 2yp range and then the syntax is the lowest ip address dash the highest ip address you also need to specify what interface it's going to be applicable to and in this case that's the ssl vpn tunnel interface and click ok you can now use that as an object in policies etc so i'm going to add that in to the source ipos now scroll down to portal message and you can put this this is the title that will appear when you connect to your vpn pool at the top of the page and you can also select a sort of color scheme if you like i'm going to leave that set on blue but you can change it depending on whatever your corporate colors are and make sure enable the 40 client download has been enabled and click ok and there's our vpn portal selp now we need to adjust the ssl vpn settings those might look a little bit different if it's out out of the block so you won't have an outside interface and there you might need to manually add yours in you'll notice there's a caveat there about it's a self-signed certificate um in a production environment you'll want to purchase a publicly signed certificate select address range specify address range the one that's in there is from the previous laptop it's not the one that we've just created so add in the one that we've just created vpn require people scroll down and now we need to create a portal mapping so select our group that's our firewall group that we created earlier and our portal and that ties the two things together click ok and click apply if it complains that the other one's not configured or that there's an area just need to configure the other one and set it to web access now we need to last thing is on firewall policy underneath policy and objects yours might say ipv4 policy if it's an older firewall create a new firewall policy give it a sensible name select the incoming interface which will be the ssl vpn the outgoing interface will be the inside or the lan interface source will be your remote vpn pool and you also need to add on your firewall vpn users group and there as well destination local lan schedule always service set to all it'll accept by default disable nat and change generate logs when session starts to on and click ok that is our policy configured so what we need to do now is jump on our external host and browse to the outside ip address of the firewall log on with my username that was in my header user group and on this particular machine i don't have the 40 client installed so i can download the 40 client for windows for the purpose of video i've split the following up it's relatively easy to install the photo client we're only installing the remote access vpn element i'm not putting any pt stuff on and let it install hit finish now you can launch it once it's up and running directly from the system tray off the windows start menu of course when it's finished updating and giving me messages launch the 40 client and go to remote access configure vpn give your connection name a sensible name ensure of course the ssl vpn is selected at the top in the remote gateway put in either the public ip address of the fortigate firewall or the fqdn that's on the publicly sound certificate that you're going to use and i'm just going to tick the box there to not warn about invalid service certificates because i'm using a self-signed one click save and then with my domain credentials i should be able to log in he says optimistically yep there we go that's me connected externally to the vpn and just to give that a test you can see if i can ping my active directory server which is 192.168.1.122 there we go let's meet up connected then to simply disconnect or break the vpn hit disconnect once you're done thanks very much for watching don't forget to come and visit us at www.pnetlive.com [Music] you
Info
Channel: PeteNetLive
Views: 9,819
Rating: undefined out of 5
Keywords:
Id: cp3UZSl3TNc
Channel Id: undefined
Length: 13min 47sec (827 seconds)
Published: Wed Jan 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.