Using agentless NTLM authentication for proxy policies
Agentless NTLM authentication can be configured directly from the FortiProxy unit to the domain controller using the SMB protocol (no agent is required). This authentication method is only supported for proxy policies. The set domain-controller command is only available when method is set to ntlm and/or negotiate-ntlm is set to enable. This section describes how to configure this feature.
Step 1: Configure an LDAP server for user authentication
config user ldap
edit <LDAP_server_name>
set server <LDAP_server_IPv4_address>
set cnid <common_name_identifier>
set dn "<distiguished_name>"
set type regular
set username <user_name>
set password <password>
set account-key-processing strip
set account-key-name <acccount_key_name>
next
end
For example:
config user ldap
edit "ldap_svr"
set server "10.1.1.111"
set cnid "cn"
set dn "dc=fpxlab1,dc=local"
set type regular
set username "CN=fpxqa,CN=Users,DC=fpxlab1,DC=local"
set password ENC z0qqGIJMzOfrc/X2xHxxgggtmDx5R8HetKMlAGdCwQlu1/Mtj9TU1OU2R/DzwUJutXFPPiw/S6ocGjplxOhDSP+4GlqJW6T1Lx+VvHFdGkS4fEa3DUpNR/1DaH8WNCEDddsLEIZdNl2j6+9uuyIlzjq69JwmoiU4S5/ZsIqPZN0FCi5F34aENi7D3keU5c0QK/Ebhw==
set account-key-processing strip
set account-key-name "sAMAccountName"
next
end
Step 2: Configure the domain controller
config user domain-controller
edit <domain_controller_name>
set ip-address <IPv4_address>
set domain-name <domain_DNS_name>
set ldap-server <LDAP_server_name>
next
end
For example:
config user domain-controller
edit "ldap_svr"
set ip-address 10.1.1.111
set domain-name "fpxlab1.local"
set ldap-server "ldap_svr"
next
end
Step 3: Create an LDAP user group
config user group
edit <user_group_name>
set member <group_member_name>
config match
edit <ID>
set server-name <LDAP_server_name>
set group-name <group_to_match_on_the_LDAP_server>
next
end
next
end
For example:
config user group
edit "ldap_grp1"
set member "ldap_svr"
config match
edit 1
set server-name "ldap_svr"
set group-name "CN=lab1grp1,CN=Users,DC=fpxlab1,DC=local"
next
end
next
end
Step 3: Create an authentication scheme
config authentication scheme
edit <authentication_scheme_name>
set method ntlm
set domain-controller <domain_controller_name>
next
end
For example:
config authentication scheme
edit "ntlm"
set method ntlm
set domain-controller "ldap_svr"
next
end
Step 3: Create an authentication rule
config authentication rule
edit <authentication_rule_name>
set srcintf <list_of_incoming_interfaces>
set srcaddr <IPv4_addresses | all | none>
set dstaddr <IPv4_addresses | all | none>
set active-auth-method "ntlm"
next
end
For example:
config authentication rule
edit "rule_ntlm"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set active-auth-method "ntlm"
next
end
Step 4: Create a firewall policy
config firewall policy
edit <policy_ID>
set type explicit-web
set name <policy_name>
set explicit-web-proxy "web-proxy"
set dstintf <list_of_incoming_interfaces>
set srcaddr <IPv4_addresses | all | none>
set dstaddr <IPv4_addresses | all | none>
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set log-http-transaction enable
set groups <LDAP_user_group>
set utm-status enable
set webfilter-profile <web_filter_profile>
next
end
For example:
config firewall policy
edit 1
set type explicit-web
set name "first-policy"
set explicit-web-proxy "web-proxy"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set log-http-transaction enable
set groups "ldap_grp1"
set utm-status enable
set webfilter-profile "Warn Dating"
next
end
Step 5: Verify that the user was authenticated
FPX-VM10 # diagnose wad user list
ID: 48, IP: 10.1.1.1, VDOM: root
user name : lab1only@fpxlab1.local
worker : 0
duration : 8
auth_type : IP
proxy_type : Explicit Proxy
auth_method : NTLM
pol_id : 1
g_id : 2
user_based : 0
expire : no
LAN:
bytes_in=60781 bytes_out=1156138
WAN:
bytes_in=1158380 bytes_out=55516