Fortinet white logo
Fortinet white logo

Administration Guide

Secure LDAP connection from FortiAuthenticator with zero trust tunnel example

Secure LDAP connection from FortiAuthenticator with zero trust tunnel example

When an on-premise Active Directory or LDAP server must be accessed remotely, a secure connection is important. LDAP without security should not be exposed on the internet, as user information and passwords are transferred in plain text.

This example describes how to configure a secure LDAP connection from a remote FortiAuthenticator to an on-premise AD server.

The on-premise FortiProxy acts as a ZTNA application gateway to allow the FortiAuthenticator access to the AD using a TCP forwarding access proxy. Traditionally, this requires endpoints to have FortiClient installed with ZTNA destinations configured in order to connect and authenticate with a client certificate. In this scenario, the FortiAuthenticator will operate a local certificate authority, which generates a client certificate for the connection. The local root CA certificate is exported and installed on the FortiProxy in order to authenticate and trust the client connection. This replaces the need for a FortiClient EMS server to manage the client certificate and act as the certificate authority.

For detailed configuration steps, see Setting up a zero trust tunnel on the FortiAuthenticator page.

Secure LDAP connection from FortiAuthenticator with zero trust tunnel example

Secure LDAP connection from FortiAuthenticator with zero trust tunnel example

When an on-premise Active Directory or LDAP server must be accessed remotely, a secure connection is important. LDAP without security should not be exposed on the internet, as user information and passwords are transferred in plain text.

This example describes how to configure a secure LDAP connection from a remote FortiAuthenticator to an on-premise AD server.

The on-premise FortiProxy acts as a ZTNA application gateway to allow the FortiAuthenticator access to the AD using a TCP forwarding access proxy. Traditionally, this requires endpoints to have FortiClient installed with ZTNA destinations configured in order to connect and authenticate with a client certificate. In this scenario, the FortiAuthenticator will operate a local certificate authority, which generates a client certificate for the connection. The local root CA certificate is exported and installed on the FortiProxy in order to authenticate and trust the client connection. This replaces the need for a FortiClient EMS server to manage the client certificate and act as the certificate authority.

For detailed configuration steps, see Setting up a zero trust tunnel on the FortiAuthenticator page.