Fortigate Single Sign On (SSO) Agent mode with active directory Integration

Hello All,

In this article we will explain the best way to configure FSSO agent mode with Microsoft LDAP.

There are many videos and articles explain that, but we will give you the best way with best performance, just go with this article step by step.

We will use in this scenario  one Fortigate (1000D), with two Active directory servers ( DC and the additional one).

1

First of All, You should make an integration between FG and LDAP (AD) severs, to create an LDAP query from FG to Active directory servers you must configure the LDAP as below:

Go to User -> Remote -> LDAP and create new LDAP entry, keep in mind that you should create an LDAP entry for each domain controller:

2

NAME: choose any meaningful name as a display name of the LDAP entry.
SERVER NAME/IP: fill the IP address of the domain controller.
SERVER Port: choose 389 since it’s the port the LDAP use it.
COMMON NAME IDENTIFIER: choose sAMAccountName.
Distinguished Name: fill your DC distinguished name ( in next few line we will show you how to find it).
Bind Type: Regular.
User DN: choose any domain admin user.
Password: the password of the domain admin user.

Before we continue, let’s show you how to find the Distinguished Name for your domain controller:

Open ADSIEdit from Run in the domain controller as below:

3

The ADSIEDIT console will appear, right click in ADSIEDIT and click Connect to:

4

from Select a well know Naming context option, make sure that default naming context is selected and click ok:

5

Now as you see, the distinguished name of the DC is “DC=contoso,DC=com” as shown below:

6

if you need to make an LDAP connection for specific OU or specific group, user ..etc. you can browse to the object you need then you will see the Distinguished name column behind each object as below:

7

If the Distinguished name column is not appear, you can find it by right click in the object you need, then click properties as below:

8

find the distinguishedName attribute and click view button as below:

9

finally copy the value to where you need:

10

Now, let’s continue our configuration of FSSO.

Go to https://support.fortinet.com/ , then login to the support portal with your account, go to Download> firmware images > downloads > select your version > FSS0>FSSO setup file.

Installing FSSO agent on Windows AD server:

First you should run the agent on active AD then to the secondary as below:

 

 11

 

12

 

13

 

14

 

15

You should reboot the DC.

16

Configuring Single Sign-On on the FortiGate:

17

NOW you should see status with green mark, that mean that FSSO see LDAP server.

18

 

NOW go back to LDAP (DC) server and open FSSO agent to configure groups of your AD on the FSSO agent ,

This is the trick to configure your OUs from FSSO agent NOT from FG .

Back to Agent on you LDAP and select configure groups and add the groups you want:

19
Then go back to FG and open FSSO that you already created and click apply and refresh and you should see the groups that you address to the agent.

Creating a user group in the FortiGate:

20
Adding a policy in the FortiGate:

21

About Bloggers …

 

CCNP R&S, Fortinet Network Security Expert 4(NSE4)

Ahmad Al-Kafaween, CCNP R&S, Fortinet Network Security Expert 4(NSE4)

Ahmad Al-Kafaween in a Specialist Network Engineer and publisher at AzureDummies blog. He also hold many certificates in CISCO routing and switching, Cisco express foundation for field ( CXFF), Fortigate Security.

Find Ahmad at Facebook or LinkedIn.

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the publisher of
AzureDummies blog. He also hold many certificates in office 365
and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions
and MCSA office 365.

Find Ahmad at Facebook and LinkedIn

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *