Active Directory Connector for Fortigate: FSAE – Fortinet Server Authentication Extension

Print Friendly, PDF & Email

If we want to integrate the firewall with our Active Directory (Active Directory – AD), so we don't always have to use local users, if not take advantage of those that the domain controllers database has, we'll use a tool called FSAE. This procedure explains, How to install the FSAE, How to configure domain controllers and firewall, Then we'll create a policy and they'll just browse the internet (or the rule that interests us) Active Directory Users.

The first thing is to download this tool, we can do it in a HERE. We start installing it and we will get a typical wizard, we can install it on any PC, this will then install some agents remotely on the domain controllers to extract information from the users that the AD database has, I recommend leaving it installed on a domain controller. Click on “Next”,

That's the default path, “Next”

It asks us for a username and password with permissions to start the FSAE services, We put one in with permits, Usually the domain administrator, “Next”,

“Install” for you to start installing,

Vale, we mark the check of “Launch DC Agent Install Wizard” to begin installing the agents on the domain controllers, to collect user information and hashes for the issue of passwords, “Finish”,

Vale, we enter the IP of the agent that will have the AD DB information, that of a domain controller, The default port would be the 8002, We give “Following”,

Vale, it detects our domain and we click on “Following”,

It shows us all the user accounts that are in our Active Directory, the normal thing is to monitor all the accounts of the DA, but we can mark the ones that we do NOT want to be analyzed, then we click on “Following”,

It detects the two controllers that I have in my domain and in both it will monitor the logins so that the FSAE works perfectly, We mark both so that the agent is installed on them. “Following”,

Vale, indicates that it is properly installed on the first domain controller, It would have to be restarted for it to start working, when we can, we do it.

The same, on the second domain controller you have also installed it perfectly, We restart it when we can.

“End”

Once restarted, We open the console “Configure FSAE”

We get the two domain controllers whose logins are being monitored to collect their passwords from users, We check that the ports are the 8000 and the 8002, and above all that the check to require authentication from Fortigate is enabled “Require authenticated connection from FortiGate”, we give it a password that it will use to connect the firewall to it. Click on “Apply” And then we go out “Save & close”.

GOOD, to configure the firewall and have it run running Active Directory, we have to log in to the FW and go on the left side to “User” > “Windows AD”. And click on “Create New” to connect to a DA.

In “FortiClient AD” We will put the domain name, For example “bujarra.com” or whatever it is, in “Server #1” (and so on) We'll put all the domain controllers (Global Catalogs), We put your IP and port 8000 it was the one that was by default before, We set a password so you can connect to it, is the password we set up earlier in the FSAE, which in my example was “123456”. We repeat this step as many domain controllers as many domain controllers have or would like to monitor their logins, We give “OK”.

If we refresh the screen, when you update it, it will remove all the users/groups from the Active Directory of my domain.

Then, we can now create a user group that is from Active Directory. It is important to know that this would not work per user, if not by group, if we need to do something per user, It is mandatory that we have to create a group. Well, in the left menu to create the group: “User” > “User Group” > and click on “Create New”.

We give it a name in “Name” in my case GrupoAD, in “Type” Put “Active Directory”, we don't have to assign it any protection profile. And in “Avaliable Users” We can choose the users we want to put in the group. I put a group that I have all the users, we move it to the right side. We give “OK”.

There we have our group, Now we have to use it for the rules we want.

For example, I only want users who are in my domain to navigate to the Internet, I'd go to the rules in “Firewall” > “Policy” and edited the one from internal to wan1.

Within the directive, I check the “Authentication” and I put “Active Directory”, I put the group I just created and giving “OK”, Only users who belong to that group would browse. Being a group of users of my Active Directory it will not ask them for authentication when browsing with their Internet Explorer/Mozilla… but it takes authentication automatically. If we would not work with groups of users of the Active Directory it is heavier because we should have a database of users in the firewall and it would be worse for issues of “if a user changes their Windows password…”. It's best to have it all integrated with Active Directory.


Recommended Posts

Allowing specific users to escape Fortigate's web filtering
Read
Implementing Windows LAPS
Read
FortiGate metrics with Prometheus and Grafana
Read
VPN with Citrix NetScaler III - Authentication with certificates
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Updating the firmware to a Fortigate

21 de October de 2008

Using Fortigate Authentication Against Active Directory Using LDAP

21 de October de 2008