Fortinet black logo

Administration Guide

Configuring FortiSASE with an LDAP server for remote user authentication in SWG mode

Copy Link
Copy Doc ID 5d380088-d5b4-11ee-8c42-fa163e15d75b:316358
Download PDF

Configuring FortiSASE with an LDAP server for remote user authentication in SWG mode

Configuring remote users over LDAP allows FortiSASE to easily integrate with a Windows Active Directory (AD) server or another LDAP server. This example has a Windows domain controller that has users defined in its AD. You want to allow certain users to configure FortiSASE as their secure web gateway (SWG) server. These users authenticate using their Windows domain credentials.

The Windows server is protected by a FortiGate that uses a virtual IP address (VIP) to port forward port 10636 to the Windows server. Communication over this VIP is allowed only for the FortiSASE IP address. The example domain is KLHOME.local.

Note

DNS, LDAP, and RADIUS servers must use public IP addresses or publicly accessible FQDNs and may require some configuration or topology changes. See Network restrictions removed.

Configuring the LDAP server in FortiSASE

To configure the LDAP server in FortiSASE:
  1. Go to Configuration > LDAP.
  2. Click Create.
  3. Configure the following settings:

    Field

    Description

    Name

    Connection name.

    Server IP/Name

    LDAP server IP address or FQDN.

    Server Port

    By default, LDAP uses port 636 and a secure connection. If you are using a custom port, define it here. In this example, it is 10636.

    Common Name Identifier

    This is the attribute in which your LDAP server identifies the username.

    • In an AD, this is commonly the common name attribute, which is denoted cn.
    • Alternatively, you can use sAMAccountName. This is case-sensitive.
    • In other LDAP servers, it may be the user ID, which is denoted uid.
    • In an AD, for usernames in the username@domain format, use the user principal name (UPN) attribute, which is denoted userPrincipalName.

    Distinguished Name

    Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup.

    If you want to recursively look up all objects under the root domain in the example AD, specify dc=KLHOME,dc=local. If you want to look up users under a specific organization unit, specify ou=VPN-Users,dc=KLHOME,dc=local.

    Secure Connection

    Enable to connect to server by LDAPS by default. Using LDAPS is recommended to ensure an encrypted connection. If disabled, communication occurs in clear text.

    Password Renewal

    Enable remote password renewal. When the LDAP user's password expires, the user can renew their password when authenticating with FortiSASE. This option is only available if using LDAPS.

    Certificate

    Select the CA certificate for your LDAPS connection. If this certificate is not signed by a known CA, you must export the certificate from your server and install this on FortiSASE. To import the certificate, do the following:

    1. Click Certificate, then Create.
    2. If you have the certificate file, select File.
    3. Click Upload. This creates a new remote CA certificate in the FortiSASE certificate store.

    You can also import and view the certificate in System > Certificates.

    Server Identity Check

    If enabled, the server certificate must include the server IP address/name defined in the Server IP/Name field.

    Advanced Group Matching

    Enable advanced group matching. Based on your LDAP server, you may need to configure additional properties to ensure that FortiSASE correctly matches LDAP groups.

    Group Member Check

    Determines which attributes FortiSASE uses for group matching:

    • Group object
    • POSIX group object
    • User attribute

    Group Filter

    Enter the filter to use for group matching. Required when Group Member Check is set to User attribute.

    Group Search Base

    Enter the search base to use for group searching. Required when Group Member Check is set to User attribute.

    Member Attribute

    Enter the name of the attribute from which FortiSASE retrieves the group membership information.

    Note

    The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

  4. Configure the following Authenticate settings:

    Field

    Description

    Bind Type

    Select one of the following. Regular bind is recommended:

    • Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree.
    • Anonymous: bind using anonymous user and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this.
    • Regular: bind using username/password provided and search starting from the DN and recurse over the subtrees.

    Username

    If using regular bind, enter the username. In the example AD, this may be KLHOME\administrator or administrator@KLHOME.

    Password

    If using regular bind, enter the password.

    Client Certificate

    Enable client certificate for authentication with LDAPS server. Select the client certificate that you previously uploaded to FortiSASE.

  5. Click Test connection. If the connection fails, return to the previous steps to reconfigure the LDAP server, or skip the test. If the connection succeeds, click Next.
  6. Review the configuration, then click Submit.

Configuring FortiSASE as an SWG server

The end user follows these instructions to configure SWG mode on their machine. The end user can configure SWG settings at the OS level or in a browser. When SWG settings are configured at the OS level, they are applied to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device.

To configure Windows 10 to use the FortiSASE SWG server:
  1. In Windows, go to Windows Settings > System > Proxy Settings.
  2. Enable Use setup script.
  3. In the Script address field, enter the Hosted PAC File URL.

  4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their Windows domain credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.

Configuring FortiSASE with an LDAP server for remote user authentication in SWG mode

Configuring remote users over LDAP allows FortiSASE to easily integrate with a Windows Active Directory (AD) server or another LDAP server. This example has a Windows domain controller that has users defined in its AD. You want to allow certain users to configure FortiSASE as their secure web gateway (SWG) server. These users authenticate using their Windows domain credentials.

The Windows server is protected by a FortiGate that uses a virtual IP address (VIP) to port forward port 10636 to the Windows server. Communication over this VIP is allowed only for the FortiSASE IP address. The example domain is KLHOME.local.

Note

DNS, LDAP, and RADIUS servers must use public IP addresses or publicly accessible FQDNs and may require some configuration or topology changes. See Network restrictions removed.

Configuring the LDAP server in FortiSASE

To configure the LDAP server in FortiSASE:
  1. Go to Configuration > LDAP.
  2. Click Create.
  3. Configure the following settings:

    Field

    Description

    Name

    Connection name.

    Server IP/Name

    LDAP server IP address or FQDN.

    Server Port

    By default, LDAP uses port 636 and a secure connection. If you are using a custom port, define it here. In this example, it is 10636.

    Common Name Identifier

    This is the attribute in which your LDAP server identifies the username.

    • In an AD, this is commonly the common name attribute, which is denoted cn.
    • Alternatively, you can use sAMAccountName. This is case-sensitive.
    • In other LDAP servers, it may be the user ID, which is denoted uid.
    • In an AD, for usernames in the username@domain format, use the user principal name (UPN) attribute, which is denoted userPrincipalName.

    Distinguished Name

    Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup.

    If you want to recursively look up all objects under the root domain in the example AD, specify dc=KLHOME,dc=local. If you want to look up users under a specific organization unit, specify ou=VPN-Users,dc=KLHOME,dc=local.

    Secure Connection

    Enable to connect to server by LDAPS by default. Using LDAPS is recommended to ensure an encrypted connection. If disabled, communication occurs in clear text.

    Password Renewal

    Enable remote password renewal. When the LDAP user's password expires, the user can renew their password when authenticating with FortiSASE. This option is only available if using LDAPS.

    Certificate

    Select the CA certificate for your LDAPS connection. If this certificate is not signed by a known CA, you must export the certificate from your server and install this on FortiSASE. To import the certificate, do the following:

    1. Click Certificate, then Create.
    2. If you have the certificate file, select File.
    3. Click Upload. This creates a new remote CA certificate in the FortiSASE certificate store.

    You can also import and view the certificate in System > Certificates.

    Server Identity Check

    If enabled, the server certificate must include the server IP address/name defined in the Server IP/Name field.

    Advanced Group Matching

    Enable advanced group matching. Based on your LDAP server, you may need to configure additional properties to ensure that FortiSASE correctly matches LDAP groups.

    Group Member Check

    Determines which attributes FortiSASE uses for group matching:

    • Group object
    • POSIX group object
    • User attribute

    Group Filter

    Enter the filter to use for group matching. Required when Group Member Check is set to User attribute.

    Group Search Base

    Enter the search base to use for group searching. Required when Group Member Check is set to User attribute.

    Member Attribute

    Enter the name of the attribute from which FortiSASE retrieves the group membership information.

    Note

    The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

  4. Configure the following Authenticate settings:

    Field

    Description

    Bind Type

    Select one of the following. Regular bind is recommended:

    • Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree.
    • Anonymous: bind using anonymous user and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this.
    • Regular: bind using username/password provided and search starting from the DN and recurse over the subtrees.

    Username

    If using regular bind, enter the username. In the example AD, this may be KLHOME\administrator or administrator@KLHOME.

    Password

    If using regular bind, enter the password.

    Client Certificate

    Enable client certificate for authentication with LDAPS server. Select the client certificate that you previously uploaded to FortiSASE.

  5. Click Test connection. If the connection fails, return to the previous steps to reconfigure the LDAP server, or skip the test. If the connection succeeds, click Next.
  6. Review the configuration, then click Submit.

Configuring FortiSASE as an SWG server

The end user follows these instructions to configure SWG mode on their machine. The end user can configure SWG settings at the OS level or in a browser. When SWG settings are configured at the OS level, they are applied to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device.

To configure Windows 10 to use the FortiSASE SWG server:
  1. In Windows, go to Windows Settings > System > Proxy Settings.
  2. Enable Use setup script.
  3. In the Script address field, enter the Hosted PAC File URL.

  4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their Windows domain credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.