Fortinet black logo

Administration Guide

Exchange Server connector

Exchange Server connector

FortiGate can collect additional information about authenticated users from corporate Microsoft Exchange Servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

The Exchange connector must be mapped to the LDAP server that is used for authentication.

The following attributes are retrieved:

USER_INFO_FULL_NAME

USER_INFO_COMPANY

USER_INFO_CITY

USER_INFO_FIRST_NAME

USER_INFO_DEPARTMENT

USER_INFO_STATE

USER_INFO_LAST_NAME

USER_INFO_GROUP

USER_INFO_POSTAL_CODE

USER_INFO_LOGON_NAME

USER_INFO_TITLE

USER_INFO_COUNTRY

USER_INFO_TELEPHONE

USER_INFO_MANAGER

USER_INFO_ACCOUNT_EXPIRES

USER_INFO_EMAIL

USER_INFO_STREET

USER_INFO_USER_PHOTO

USER_INFO_POST_OFFICE_BOX

Kerberos Key Distribution Center (KDC) automatic discovery is enabled by default. The FortiGate must be able to use DNS to resolve the KDC IP addresses, otherwise the FortiGate will be unable to retrieve additional user information from the Exchange Server.

KDC automatic discovery can be disabled, and one or more internal IP addresses that the FortiGate can reach can be configured for KDC.

The Override server IP address is enabled when the IP address of the Exchange server cannot be resolved by DNS and must be entered manually.

To configure an Exchange connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Endpoint/Identity section, click Exchange Server.
  3. Set Name to exchange140.
  4. Set Exchange account to Administrator@W2K8-SERV1.FORTINET-FSSO.COM.

    Administrator is the username, W2K8-SERV1 is the exchange server name, and FORTINET-FSSO.COM is the domain name.

  5. Set Password to the password.
  6. Enable Override server IP address and set it to 10.1.100.140.
  7. Ensure that Auto-discover KDC is enabled.

    If Auto-discover KDC is disabled, one or more KDC IP addresses can be manually entered.

  8. Click OK.
To link the connector to the LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.
  2. Edit an existing LDAP server, or click Create New to create a new one.
  3. Enable Exchange server, and select the connector from the list.
  4. Configure the remaining settings as required.

  5. Click OK.
To configure an Exchange connector with automatic KDC discovery in the CLI:
config user exchange
    edit "exchange140"
        set server-name "W2K8-SERV1"                 
        set domain-name "FORTINET-FSSO.COM"
        set username "Administrator"
        set password **********
        set ip 10.1.100.140
        set auto-discover-kdc enable
    next
end
To link the connector to the LDAP server in the CLI:
config user ldap
    edit "openldap"
        set server "172.18.60.213"
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Manager,dc=fortinet-fsso,dc=com"
        set password **********
        set group-member-check group-object
        set group-object-filter "(&(objectclass=groupofnames)(member=*))"
        set member-attr "member"
        set user-info-exchange-server "exchange140"
    next
end

Verification

To verify that KDC auto-discovery is working:
# diagnose wad debug enable category all 
# diagnose wad debug enable level verbose
# diagnose debug enable
# diagnose wad user exchange test-auto-discover
wad_diag_session_acceptor(3115): diag socket 20 accepted.
__wad_fmem_open(557): fmem=0x12490bd8, fmem_name='cmem 9188 bucket', elm_sz=9188, block_sz=73728, overhead=0, type=advanced
Starting auto-discover test for all configured user-exchanges.
[NOTE]: If any errors are returned, try manually configuring IPs for the reported errors.

wad_rpc_nspi_test_autodiscover_kdc(1835): Starting DNS SRV request for srv(0x7f938e052050) query(_kerberos._udp.FORTINET-FSSO.COM)
wad_dns_send_srv_query(705): 1:0: sending DNS SRV request for remote peer _kerberos._udp.FORTINET-FSSO.COM id=0
1: DNS response received for remote host _kerberos._udp.FORTINET-FSSO.COM req-id=0
wad_dns_parse_srv_resp(409): _kerberos._udp.FORTINET-FSSO.COM: resp_type(SUCCESS)
  srv[0]: name(w2k12-serv1.fortinet-fsso.com) port(88) priority(0) weight(100)
    addr[0]: 10.1.100.131
    addr[1]: 10.6.30.131
    addr[2]: 172.16.200.131
    addr[3]: 2003::131
    addr[4]: 2001::131
  srv[1]: name(fsso-core-DC.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
    addr[0]: 10.6.30.16
    addr[1]: 172.16.200.16
  srv[2]: name(w2k12-serv1.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
    addr[0]: 10.1.100.131
    addr[1]: 172.16.200.131
    addr[2]: 10.6.30.131
    addr[3]: 2001::131
    addr[4]: 2003::131
wad_rpc_nspi_dns_on_discover_kdc_done(1787): Received response for DNS autodiscover req(0x7f938dfe8050) query(_kerberos._udp.FORTINET-FSSO.COM) n_rsp(3)

Completed auto-discover test for all configured user-exchanges.
To check the collected information after the user has been authenticated:
  1. In the GUI, go to Dashboard > Assets & Identities, expand the Firewall Users widget, and hover over the user name.
  2. In the CLI, run the following diagnose command:
    # diagnose wad user info 20 test1
    'username' = 'test1'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854

    If the results are not as expected, verify what information FortiGate can collect from the Exchanger Server:

    # diagnose test application wad 2500
    # diagnose test application wad 162

Exchange Server connector

FortiGate can collect additional information about authenticated users from corporate Microsoft Exchange Servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

The Exchange connector must be mapped to the LDAP server that is used for authentication.

The following attributes are retrieved:

USER_INFO_FULL_NAME

USER_INFO_COMPANY

USER_INFO_CITY

USER_INFO_FIRST_NAME

USER_INFO_DEPARTMENT

USER_INFO_STATE

USER_INFO_LAST_NAME

USER_INFO_GROUP

USER_INFO_POSTAL_CODE

USER_INFO_LOGON_NAME

USER_INFO_TITLE

USER_INFO_COUNTRY

USER_INFO_TELEPHONE

USER_INFO_MANAGER

USER_INFO_ACCOUNT_EXPIRES

USER_INFO_EMAIL

USER_INFO_STREET

USER_INFO_USER_PHOTO

USER_INFO_POST_OFFICE_BOX

Kerberos Key Distribution Center (KDC) automatic discovery is enabled by default. The FortiGate must be able to use DNS to resolve the KDC IP addresses, otherwise the FortiGate will be unable to retrieve additional user information from the Exchange Server.

KDC automatic discovery can be disabled, and one or more internal IP addresses that the FortiGate can reach can be configured for KDC.

The Override server IP address is enabled when the IP address of the Exchange server cannot be resolved by DNS and must be entered manually.

To configure an Exchange connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Endpoint/Identity section, click Exchange Server.
  3. Set Name to exchange140.
  4. Set Exchange account to Administrator@W2K8-SERV1.FORTINET-FSSO.COM.

    Administrator is the username, W2K8-SERV1 is the exchange server name, and FORTINET-FSSO.COM is the domain name.

  5. Set Password to the password.
  6. Enable Override server IP address and set it to 10.1.100.140.
  7. Ensure that Auto-discover KDC is enabled.

    If Auto-discover KDC is disabled, one or more KDC IP addresses can be manually entered.

  8. Click OK.
To link the connector to the LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.
  2. Edit an existing LDAP server, or click Create New to create a new one.
  3. Enable Exchange server, and select the connector from the list.
  4. Configure the remaining settings as required.

  5. Click OK.
To configure an Exchange connector with automatic KDC discovery in the CLI:
config user exchange
    edit "exchange140"
        set server-name "W2K8-SERV1"                 
        set domain-name "FORTINET-FSSO.COM"
        set username "Administrator"
        set password **********
        set ip 10.1.100.140
        set auto-discover-kdc enable
    next
end
To link the connector to the LDAP server in the CLI:
config user ldap
    edit "openldap"
        set server "172.18.60.213"
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Manager,dc=fortinet-fsso,dc=com"
        set password **********
        set group-member-check group-object
        set group-object-filter "(&(objectclass=groupofnames)(member=*))"
        set member-attr "member"
        set user-info-exchange-server "exchange140"
    next
end

Verification

To verify that KDC auto-discovery is working:
# diagnose wad debug enable category all 
# diagnose wad debug enable level verbose
# diagnose debug enable
# diagnose wad user exchange test-auto-discover
wad_diag_session_acceptor(3115): diag socket 20 accepted.
__wad_fmem_open(557): fmem=0x12490bd8, fmem_name='cmem 9188 bucket', elm_sz=9188, block_sz=73728, overhead=0, type=advanced
Starting auto-discover test for all configured user-exchanges.
[NOTE]: If any errors are returned, try manually configuring IPs for the reported errors.

wad_rpc_nspi_test_autodiscover_kdc(1835): Starting DNS SRV request for srv(0x7f938e052050) query(_kerberos._udp.FORTINET-FSSO.COM)
wad_dns_send_srv_query(705): 1:0: sending DNS SRV request for remote peer _kerberos._udp.FORTINET-FSSO.COM id=0
1: DNS response received for remote host _kerberos._udp.FORTINET-FSSO.COM req-id=0
wad_dns_parse_srv_resp(409): _kerberos._udp.FORTINET-FSSO.COM: resp_type(SUCCESS)
  srv[0]: name(w2k12-serv1.fortinet-fsso.com) port(88) priority(0) weight(100)
    addr[0]: 10.1.100.131
    addr[1]: 10.6.30.131
    addr[2]: 172.16.200.131
    addr[3]: 2003::131
    addr[4]: 2001::131
  srv[1]: name(fsso-core-DC.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
    addr[0]: 10.6.30.16
    addr[1]: 172.16.200.16
  srv[2]: name(w2k12-serv1.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
    addr[0]: 10.1.100.131
    addr[1]: 172.16.200.131
    addr[2]: 10.6.30.131
    addr[3]: 2001::131
    addr[4]: 2003::131
wad_rpc_nspi_dns_on_discover_kdc_done(1787): Received response for DNS autodiscover req(0x7f938dfe8050) query(_kerberos._udp.FORTINET-FSSO.COM) n_rsp(3)

Completed auto-discover test for all configured user-exchanges.
To check the collected information after the user has been authenticated:
  1. In the GUI, go to Dashboard > Assets & Identities, expand the Firewall Users widget, and hover over the user name.
  2. In the CLI, run the following diagnose command:
    # diagnose wad user info 20 test1
    'username' = 'test1'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854

    If the results are not as expected, verify what information FortiGate can collect from the Exchanger Server:

    # diagnose test application wad 2500
    # diagnose test application wad 162