Fortinet white logo
Fortinet white logo

Administration Guide

SSL VPN with LDAP user password renew

SSL VPN with LDAP user password renew

This is a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with Force password change on next logon.

Note

The LDAP renewal method is designed to replace (reset) the user password, meaning that the Active Directory password policy will not be enforced. For example, users can reuse the same password or use old ones.

You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA certificate into the FortiGate.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.

    1. Go to Network > Interfaces and edit the wan1 interface.

    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.

    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

    4. Click OK.

    5. Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.

  2. Import CA certificate into FortiGate:

    1. Go to System > Features Visibility and ensure Certificates is enabled.

    2. Go to System > Certificates and select Import > CA Certificate.

    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  3. Configure the LDAP user:

    Note

    The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server.

    1. Go to User & Authentication > LDAP Servers and click Create New.

    2. Specify Name and Server IP/Name.

    3. Specify Common Name Identifier and Distinguished Name.

    4. Set Bind Type to Regular.

    5. Specify Username and Password.

    6. Enable Secure Connection and set Protocol to LDAPS.

    7. For Certificate, select LDAP server CA LDAPS-CA from the list.

    8. To enable the password-renew option, use these CLI commands.

      config user ldap
          edit "ldaps-server"
              set password-expiry-warning enable
              set password-renewal enable
          next
      end
  4. Configure user group:

    1. Go to User & Authentication > User Groups to create a user group.

    2. Enter a Name.

    3. In Remote Groups, click Add to add ldaps-server.

  5. Configure SSL VPN web portal:

    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.

      This portal supports both web and tunnel mode.

    2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

  6. Configure SSL VPN settings:

    1. Go to VPN > SSL-VPN Settings.

    2. Select the Listen on Interface(s), in this example, wan1.

    3. Set Listen on Port to 10443.

    4. Set Server Certificate to the authentication certificate.

    5. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.

    6. Create new Authentication/Portal Mapping for group ldaps-group mapping portal full-access.

  7. Configure SSL VPN firewall policy:

    1. Go to Policy & Objects > Firewall Policy.

    2. Fill in the firewall policy name, in this example, sslvpn certificate auth.

    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).

    4. Set the Source Address to all and Source User to ldaps-group.

    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.

    6. Set Destination Address to the internal protected subnet 192.168.1.0.

    7. Set Schedule to always, Service to ALL, and Action to Accept.

    8. Enable NAT.

    9. Configure any remaining firewall and security options as desired.

    10. Click OK.

To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address:

    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network:

    config system interface
        edit "port1"
            set vdom "root"
            set ip 192.168.1.99 255.255.255.0
        next
    end
    config firewall address
        edit "192.168.1.0"
            set subnet 192.168.1.0 255.255.255.0
        next
    end
  3. Import CA certificate into FortiGate:

    1. Go to System > Features Visibility and ensure Certificates is enabled.

    2. Go to System > Certificates and select Import > CA Certificate.

    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  4. Configure the LDAP server:

    Note

    The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server.

    config user ldap
        edit "ldaps-server"
            set server "172.20.120.161"
            set cnid "cn"
            set dn "cn=Users,dc=qa,dc=fortinet,dc=com"
            set type regular
            set username "CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com"
            set password **********
            set group-member-check group-object
            set secure ldaps
            set ca-cert "LDAPS-CA"
            set port 636
            set password-expiry-warning enable
            set password-renewal enable
        next
    end
  5. Configure user group:

    config user group
        edit "ldaps-group"
            set member "ldaps-server"
        next
    end
  6. Configure SSL VPN web portal:

    config vpn ssl web portal
        edit "full-access"
            set tunnel-mode enable
            set web-mode enable
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
            set split-tunneling disable
         next
    end
  7. Configure SSL VPN settings:

    config vpn ssl settings
        set servercert "server_certificate"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set source-interface "wan1"
        set source-address "all"
        set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "ldaps-group"
                set portal "full-access"
            next        
        end
    end
  8. Configure one SSL VPN firewall policy to allow remote user to access the internal network:

    config firewall policy 
        edit 1
            set name "sslvpn web mode access"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "192.168.1.0"
            set groups “ldaps-group”
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To see the results of web portal:
  1. From a remote device, use a web browser to log into the SSL VPN web portal http://172.20.120.123:10443.
  2. Log in using the ldu1 credentials.

    Use a user that is configured on FortiAuthenticator with Force password change on next logon.

  3. Click Login. You are prompted to enter a new password. The prompt will timeout after 90 seconds.
  4. Go to Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection.
To see the results of tunnel connection:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection:
    1. Set the connection name.
    2. Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
    3. Select Customize Port and set it to 10443.
  4. Save your settings.
  5. Log in using the ldu1 credentials.

    You are prompted to enter a new password. The prompt will timeout after 90 seconds.

To check the SSL VPN connection using the GUI:
  1. Go to Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection.
  2. Go to Log & Report > System Events and select the VPN Events card to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the web portal login using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Auth Type    Timeout    From           HTTP in/out  HTTPS in/out
 0       ldu1    1(1)         229        10.1.100.254   0/0          0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
To check the tunnel login using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Auth Type    Timeout    From           HTTP in/out  HTTPS in/out
 0       ldu1    1(1)         291        10.1.100.254   0/0          0/0

SSL VPN sessions:
 Index   User    Source IP      Duration    I/O Bytes      Tunnel/Dest IP 
 0       ldu1    10.1.100.254   9           22099/43228    10.212.134.200

SSL VPN with LDAP user password renew

SSL VPN with LDAP user password renew

This is a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with Force password change on next logon.

Note

The LDAP renewal method is designed to replace (reset) the user password, meaning that the Active Directory password policy will not be enforced. For example, users can reuse the same password or use old ones.

You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA certificate into the FortiGate.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.

    1. Go to Network > Interfaces and edit the wan1 interface.

    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.

    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

    4. Click OK.

    5. Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.

  2. Import CA certificate into FortiGate:

    1. Go to System > Features Visibility and ensure Certificates is enabled.

    2. Go to System > Certificates and select Import > CA Certificate.

    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  3. Configure the LDAP user:

    Note

    The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server.

    1. Go to User & Authentication > LDAP Servers and click Create New.

    2. Specify Name and Server IP/Name.

    3. Specify Common Name Identifier and Distinguished Name.

    4. Set Bind Type to Regular.

    5. Specify Username and Password.

    6. Enable Secure Connection and set Protocol to LDAPS.

    7. For Certificate, select LDAP server CA LDAPS-CA from the list.

    8. To enable the password-renew option, use these CLI commands.

      config user ldap
          edit "ldaps-server"
              set password-expiry-warning enable
              set password-renewal enable
          next
      end
  4. Configure user group:

    1. Go to User & Authentication > User Groups to create a user group.

    2. Enter a Name.

    3. In Remote Groups, click Add to add ldaps-server.

  5. Configure SSL VPN web portal:

    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.

      This portal supports both web and tunnel mode.

    2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

  6. Configure SSL VPN settings:

    1. Go to VPN > SSL-VPN Settings.

    2. Select the Listen on Interface(s), in this example, wan1.

    3. Set Listen on Port to 10443.

    4. Set Server Certificate to the authentication certificate.

    5. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.

    6. Create new Authentication/Portal Mapping for group ldaps-group mapping portal full-access.

  7. Configure SSL VPN firewall policy:

    1. Go to Policy & Objects > Firewall Policy.

    2. Fill in the firewall policy name, in this example, sslvpn certificate auth.

    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).

    4. Set the Source Address to all and Source User to ldaps-group.

    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.

    6. Set Destination Address to the internal protected subnet 192.168.1.0.

    7. Set Schedule to always, Service to ALL, and Action to Accept.

    8. Enable NAT.

    9. Configure any remaining firewall and security options as desired.

    10. Click OK.

To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address:

    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network:

    config system interface
        edit "port1"
            set vdom "root"
            set ip 192.168.1.99 255.255.255.0
        next
    end
    config firewall address
        edit "192.168.1.0"
            set subnet 192.168.1.0 255.255.255.0
        next
    end
  3. Import CA certificate into FortiGate:

    1. Go to System > Features Visibility and ensure Certificates is enabled.

    2. Go to System > Certificates and select Import > CA Certificate.

    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  4. Configure the LDAP server:

    Note

    The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server.

    config user ldap
        edit "ldaps-server"
            set server "172.20.120.161"
            set cnid "cn"
            set dn "cn=Users,dc=qa,dc=fortinet,dc=com"
            set type regular
            set username "CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com"
            set password **********
            set group-member-check group-object
            set secure ldaps
            set ca-cert "LDAPS-CA"
            set port 636
            set password-expiry-warning enable
            set password-renewal enable
        next
    end
  5. Configure user group:

    config user group
        edit "ldaps-group"
            set member "ldaps-server"
        next
    end
  6. Configure SSL VPN web portal:

    config vpn ssl web portal
        edit "full-access"
            set tunnel-mode enable
            set web-mode enable
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
            set split-tunneling disable
         next
    end
  7. Configure SSL VPN settings:

    config vpn ssl settings
        set servercert "server_certificate"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set source-interface "wan1"
        set source-address "all"
        set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "ldaps-group"
                set portal "full-access"
            next        
        end
    end
  8. Configure one SSL VPN firewall policy to allow remote user to access the internal network:

    config firewall policy 
        edit 1
            set name "sslvpn web mode access"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "192.168.1.0"
            set groups “ldaps-group”
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To see the results of web portal:
  1. From a remote device, use a web browser to log into the SSL VPN web portal http://172.20.120.123:10443.
  2. Log in using the ldu1 credentials.

    Use a user that is configured on FortiAuthenticator with Force password change on next logon.

  3. Click Login. You are prompted to enter a new password. The prompt will timeout after 90 seconds.
  4. Go to Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection.
To see the results of tunnel connection:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection:
    1. Set the connection name.
    2. Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
    3. Select Customize Port and set it to 10443.
  4. Save your settings.
  5. Log in using the ldu1 credentials.

    You are prompted to enter a new password. The prompt will timeout after 90 seconds.

To check the SSL VPN connection using the GUI:
  1. Go to Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection.
  2. Go to Log & Report > System Events and select the VPN Events card to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the web portal login using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Auth Type    Timeout    From           HTTP in/out  HTTPS in/out
 0       ldu1    1(1)         229        10.1.100.254   0/0          0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
To check the tunnel login using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Auth Type    Timeout    From           HTTP in/out  HTTPS in/out
 0       ldu1    1(1)         291        10.1.100.254   0/0          0/0

SSL VPN sessions:
 Index   User    Source IP      Duration    I/O Bytes      Tunnel/Dest IP 
 0       ldu1    10.1.100.254   9           22099/43228    10.212.134.200