Configuring integration with Azure AD domain services for VPN
Configuring an integration with Azure AD domain services consists of the following:
To configure Azure AD domain services:
- In the Azure management portal, create Azure AD domain services. You can deploy it to a new or existing resource group. For information about Azure AD domain services, see Azure AD Domain Services documentation. It can take up to 60 minutes for Azure to create your AD domain.
- Go to Azure AD Domain Services > Synchronization. Configure whether to synchronize all Azure AD users and groups or scoped groups and members.
- Go to Azure AD Domain Services > Properties. You can find IP addresses on which Azure AD domain services are running. These IP addresses must be reachable for your FortiGate for the setup to work.
- Verify your domain in Azure Active Directory > Custom domain names by adding a TXT or MX record to your DNS settings.
- Create users in Azure Active Directory > Users > New User. Write down the user password as it is required to log in to https://portal.office.com and you must change the password after initial login.
- In Azure Active Directory > Groups, create a new group and assign the user created in step 5 to this group.
To configure the FortiGate-VM for integration with Azure AD domain services:
- In FortiOS, go to User & Authentication > LDAP Servers and configure the LDAP server based on the Azure AD domain service IP address obtained in step 3 of To configure Azure AD domain services:.
- Go to User & Authentication > User Groups and configure the user group that you will be using for the SSL VPN portal or client-to-site VPN connection based on the group that you configured in Azure AD.
- You can also define a user in User & Authentication > User Definition that corresponds to the user that you created in step 5 of To configure Azure AD domain services:. You can use this user in firewall policies for SSL VPN or client-to-site VPN connections.
- Go to VPN > SSL-VPN Settings and enable an SSL VPN portal on the WAN interface. See SSL VPN web mode for remote user.
Self-signed certificates are provided by default to simplify initial installation and testing. Acquiring a signed certificate for your installation is HIGHLY recommended.
Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.
For more information, see Use a non-factory SSL certificate for the SSL VPN portal and Procuring and importing a signed SSL certificate.
- Go to Policy & Objects and edit the SSL VPN policy. For the source, select the user group and/or user that you configured in steps 2 and 3. Define what applications, protocols, and resources to allow for SSL VPN users.
- Log in to the SSL VPN portal as the Azure AD user.
- To configure client-to-site VPN access using FortiClient, go to VPN > IPsec Wizard and select the user group created in step 2. Azure AD creates and manages this group's members. See FortiClient as dialup client for details on configuring FortiClient.
- You can use Azure AD users as administrator accounts to manage your FortiGate. Go to System > Administrators and configure a new administrator from a remote server that belongs to the remote user group on Azure AD that you configured in step 2.