ZTNA HTTPS access proxy with basic authentication example

This example expands on the previous example (ZTNA HTTPS access proxy example), adding LDAP authentication to the ZTNA rule. Users are allowed based on passing the client certificate authentication check, user authentication, and security posture check.

Users that are in the AD security group ALLOWED-VPN are allowed access to the access proxy. Users that are not part of this security group are not allowed access.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

LDAP/Active Directory Users and Groups:

  • Domain: KLHOME.local

  • Users (Groups):

    • radCurtis (Domain Users, ALLOWED-VPN)

    • radKeith (Domain Users)

To configure a secure connection to the LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers and click Create New.

  2. Configure the following settings:

    Name

    WIN2K16-KLHOME-LDAPS

    Server IP/Name

    192.168.20.6

    Server Port

    636

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=KLHOME,dc=local

    Exchange server

    Disabled

    Bind Type

    Regular

    Enter the Username and Password for LDAP binding and lookup.

    Secure Connection

    Enabled

    • Set Protocol to LDAPS

    • Enable Certificate and select the CA certificate to validate the server certificate.

    Server identity check

    Optionally, enable to verify the domain name or IP address against the server certificate.

  3. Click Test Connectivity to verify the connection to the server.

  4. Click OK.

To configure a secure connection to the LDAP server in the CLI:
config user ldap
    edit "WIN2K16-KLHOME-LDAPS"
        set server "192.168.20.6"
        set cnid "sAMAccountName"
        set dn "dc=KLHOME,dc=local"
        set type regular
        set username "KLHOME\\Administrator"
        set password <password>
        set secure ldaps
        set ca-cert "CA_Cert_1"
        set port 636
    next
end
To configure a remote user group from the LDAP server in the GUI:
  1. Go to User & Authentication > User Groups and click Create New.

  2. Set the name to KLHOME-ALLOWED-VPN.

  3. Set Type to Firewall.

  4. In the Remote Groups table click Add:

    1. Set Remote Server to WIN2K16-KLHOME-LDAPS.

    2. Locate the ALLOWED-VPN group, right-click on it, and click Add Selected.

    3. Click OK.

  5. Click OK.

To configure a remote user group from the LDAP server in the CLI:
config user group
    edit "KLHOME-ALLOWED-VPN"
        set member "WIN2K16-KLHOME-LDAPS"
        config match
            edit 1
                set server-name "WIN2K16-KLHOME-LDAPS"
                set group-name "CN=ALLOWED-VPN,DC=KLHOME,DC=local"
            next
        end
    next
end

Authentication scheme and rules

After the LDAP server and user group have been configured, an authentication scheme and rule must be configured.

Note

To configure authentication schemes and rules in the GUI, go to System > Feature Visibility and enable Explicit Proxy.

Authentication scheme

The authentication scheme defines the method of authentication that is applied. In this example, basic HTTP authentication is used so that users are prompted for a username and password the first time that they connect to a website through the HTTPS access proxy.

To configure an authentication scheme in the GUI:
  1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.

  2. Set the name to ZTNA-Auth-scheme.

  3. Set Method to Basic.

  4. Set User database to Other and select WIN2K16-KLHOME-LDAPS as the LDAP server.

  5. Click OK.

To configure an authentication scheme in the CLI:
config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "WIN2K16-KLHOME-LDAPS"
    next
end

Authentication rule

The authentication rule defines the proxy sources and destination that require authentication, and what authentication scheme is applied. In this example, active authentication through the basic HTTP prompt is used and applied to all sources.

To configure an authentication rule in the GUI:
  1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Rule.

  2. Set the name to ZTNA-Auth-rule.

  3. Set Source Address to all.

  4. Set Protocol to HTTP.

  5. Enable Authentication Scheme and select ZTNA-Auth-scheme.

  6. Click OK.