Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.5 SSL VPN to ZTNA Migration Guide
7.2.5
7.2.5
7.2.2

Authentication scheme and rules

Authentication scheme and rules

User authentication helps define users and groups for role based access control. An authentication scheme and rule must be configured to trigger user authentication. The authentication scheme defines what method of authentication will be applied. An authentication rule specifies which proxy sources and destinations will require authentication, and which authentication scheme to apply.

This step demonstrates basic authentication using an LDAP server that connects to the Active Directory on our Windows server 10.88.0.1. In our topology, the LDAP server LDAP-fortiad used for SSL VPN access can be reused for ZTNA.

To configure an authentication scheme from GUI:

  1. Go to Policy & Objects > Authentication Rules and select Authentication Schemes from the top right.

  2. Click Create New > Authentication Scheme.

  3. Enter the name ZTNA-Auth-Scheme.

  4. Select Method Basic.

  5. Change User Database to Other.

  6. Select the LDAP server LDAP-fortiad.

  7. Click OK to complete.

To configure an authentication rule from GUI:

  1. Click Create New > Authentication Rules.

  2. Enter the name ZTNA-Auth-Rule.

  3. Select Source Address to all.

  4. Set Incoming interface to WAN (port3).

  5. Leave Protocol as HTTP.

  6. Click to Enable Authentication Scheme and select ZTNA Auth Scheme.

  7. IP-based Authentication should be set to Enable.

  8. Enable This Rule should be set to Enable.

  9. Click OK to complete.

Previous
Next

Authentication scheme and rules

User authentication helps define users and groups for role based access control. An authentication scheme and rule must be configured to trigger user authentication. The authentication scheme defines what method of authentication will be applied. An authentication rule specifies which proxy sources and destinations will require authentication, and which authentication scheme to apply.

This step demonstrates basic authentication using an LDAP server that connects to the Active Directory on our Windows server 10.88.0.1. In our topology, the LDAP server LDAP-fortiad used for SSL VPN access can be reused for ZTNA.

To configure an authentication scheme from GUI:

  1. Go to Policy & Objects > Authentication Rules and select Authentication Schemes from the top right.

  2. Click Create New > Authentication Scheme.

  3. Enter the name ZTNA-Auth-Scheme.

  4. Select Method Basic.

  5. Change User Database to Other.

  6. Select the LDAP server LDAP-fortiad.

  7. Click OK to complete.

To configure an authentication rule from GUI:

  1. Click Create New > Authentication Rules.

  2. Enter the name ZTNA-Auth-Rule.

  3. Select Source Address to all.

  4. Set Incoming interface to WAN (port3).

  5. Leave Protocol as HTTP.

  6. Click to Enable Authentication Scheme and select ZTNA Auth Scheme.

  7. IP-based Authentication should be set to Enable.

  8. Enable This Rule should be set to Enable.

  9. Click OK to complete.

Previous
Next