Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Obtain full user information through the MS Exchange connector

FortiGate can collect additional information about authenticated users from corporate MS Exchange servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

The Exchange connector must be mapped to the LDAP server that is used for authentication.

The following attributes are retrieved:

USER_INFO_FULL_NAME

USER_INFO_COMPANY

USER_INFO_CITY

USER_INFO_FIRST_NAME

USER_INFO_DEPARTMENT

USER_INFO_STATE

USER_INFO_LAST_NAME

USER_INFO_GROUP

USER_INFO_POSTAL_CODE

USER_INFO_LOGON_NAME

USER_INFO_TITLE

USER_INFO_COUNTRY

USER_INFO_TELEPHONE

USER_INFO_MANAGER

USER_INFO_ACCOUNT_EXPIRES

USER_INFO_EMAIL

USER_INFO_STREET

 

USER_INFO_USER_PHOTO

USER_INFO_POST_OFFICE_BOX

 

This example shows the configuration and verification in the CLI.

To configure and use an Exchange connector:
  1. Configure the Exchange user:
    config user exchange
        edit "exchange140"
            set server-name "W2K8-SERV1"                 
            set domain-name "FORTINET-FSSO.COM"
            set username "Administrator"
            set password ENC XXXXXXXXXXXXXXXXXXXXXXX
            set ip 10.1.100.140
            set kdc-ip "10.1.100.131"
        next
    end

    Where:

    server-name

    The hostname of the Exchange server.

    domain-name

    The domain name of active directory.

    username

    The username that FortiGate uses to connect to the Exchange server.

    password

    The password that FortiGate uses to connect to the Exchange server.

    ip

    The IP address of the Exchange server.

    kdc-ip

    The IP address of the Global Catalog server.

    For details about other commands, so the FortiOS CLI Reference.

  2. Set the exchange server in the LDAP user:
    config user ldap
        edit "AD-ldap"
            set server "10.1.100.131"
            set server-identity-check disable
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password ENC XXXXXXXXXXXXXXXXXXXX
            set secure ldaps
            set port 636
            set password-renewal enable
            set user-info-exchange-server "exchange140"
        next
    end
To check the collected information after the user has been authenticated:
  1. In the GUI, go to Monitor > Firewall User Monitor and hover over the user name.

  2. In the CLI, run the following command:
    # diagnose wad user info 20 test1
    'username' = 'test1'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854

    If the results are not as expected, use the following commands to verify what information FortiGate can collect from the Exchange server:

    diagnose test application wad 2500
    diagnose test application wad 162

    You can also enable debugging during user authentication:

    diagnose wad debug enable level verbose

Obtain full user information through the MS Exchange connector

FortiGate can collect additional information about authenticated users from corporate MS Exchange servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

The Exchange connector must be mapped to the LDAP server that is used for authentication.

The following attributes are retrieved:

USER_INFO_FULL_NAME

USER_INFO_COMPANY

USER_INFO_CITY

USER_INFO_FIRST_NAME

USER_INFO_DEPARTMENT

USER_INFO_STATE

USER_INFO_LAST_NAME

USER_INFO_GROUP

USER_INFO_POSTAL_CODE

USER_INFO_LOGON_NAME

USER_INFO_TITLE

USER_INFO_COUNTRY

USER_INFO_TELEPHONE

USER_INFO_MANAGER

USER_INFO_ACCOUNT_EXPIRES

USER_INFO_EMAIL

USER_INFO_STREET

 

USER_INFO_USER_PHOTO

USER_INFO_POST_OFFICE_BOX

 

This example shows the configuration and verification in the CLI.

To configure and use an Exchange connector:
  1. Configure the Exchange user:
    config user exchange
        edit "exchange140"
            set server-name "W2K8-SERV1"                 
            set domain-name "FORTINET-FSSO.COM"
            set username "Administrator"
            set password ENC XXXXXXXXXXXXXXXXXXXXXXX
            set ip 10.1.100.140
            set kdc-ip "10.1.100.131"
        next
    end

    Where:

    server-name

    The hostname of the Exchange server.

    domain-name

    The domain name of active directory.

    username

    The username that FortiGate uses to connect to the Exchange server.

    password

    The password that FortiGate uses to connect to the Exchange server.

    ip

    The IP address of the Exchange server.

    kdc-ip

    The IP address of the Global Catalog server.

    For details about other commands, so the FortiOS CLI Reference.

  2. Set the exchange server in the LDAP user:
    config user ldap
        edit "AD-ldap"
            set server "10.1.100.131"
            set server-identity-check disable
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password ENC XXXXXXXXXXXXXXXXXXXX
            set secure ldaps
            set port 636
            set password-renewal enable
            set user-info-exchange-server "exchange140"
        next
    end
To check the collected information after the user has been authenticated:
  1. In the GUI, go to Monitor > Firewall User Monitor and hover over the user name.

  2. In the CLI, run the following command:
    # diagnose wad user info 20 test1
    'username' = 'test1'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854

    If the results are not as expected, use the following commands to verify what information FortiGate can collect from the Exchange server:

    diagnose test application wad 2500
    diagnose test application wad 162

    You can also enable debugging during user authentication:

    diagnose wad debug enable level verbose