SSL VPN with LDAP user password renew

This is a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with Force password change on next logon.

You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA certificate into the FortiGate.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.

    1. Go to Network > Interfaces and edit the wan1 interface.

    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.

    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

    4. Click OK.

    5. Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.

  2. Import CA certificate into FortiGate:

    1. Go to System > Features Visibility and ensure Certificates is enabled.

    2. Go to System > Certificates and select Import > CA Certificate.

    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  3. Configure the LDAP user: