Establishing an SSL VPN Connection to FortiGate using Azure AD | FortiGate

Fortinet

11 Oct 202106:31

Summary

TLDRThis video demonstrates the setup of SSL VPN authentication on a 40Gate device using Azure AD as the identity provider. It follows the process from the remote user's experience of connecting via SSL VPN, including SSO with Azure AD, to the admin's configuration steps on the 40Gate firewall. Key steps include configuring the CLI for Azure AD, importing certificates, setting up SSL VPN portals and settings, and creating firewall policies. The video covers everything from user authentication to network security setup, guiding viewers through the entire configuration process.

Takeaways

😀 A remote user connects to FortiGate via SSLVPN with Azure AD as the identity provider (IDP).
😀 The user is redirected to Azure AD for authentication and then back to FortiGate once completed.
😀 The user experience is similar for both web mode and FortiClient SSLVPN connections.
😀 The user can verify the SSLVPN connection by accessing internal applications after successful login.
😀 Five key steps are involved in configuring FortiGate for Azure AD authentication (excluding Azure AD configuration).
😀 In the first configuration step, the CLI IDP and user group are set on FortiGate.
😀 Azure AD application configuration requires assigning users and groups, then setting up single sign-on (SSO) URLs.
😀 FortiGate requires importing the Azure AD certificate and setting the correct username and group configurations.
😀 A FortiGate SSLVPN portal must be created and configured to enable tunnel mode, web mode, and predefined bookmarks.
😀 SSLVPN settings on FortiGate must specify listening interfaces, ports, and authentication SL port mappings.
😀 The final step involves configuring firewall policies to ensure the SSLVPN connection is routed properly for the user group.

Q & A

What is the main purpose of the video script?
-The video demonstrates how to configure SSL VPN authentication on FortiGate with Azure AD as the identity provider (IDP), focusing on both the user and admin experiences during the setup process.
How does the remote user authenticate through SSL VPN?
-The remote user authenticates by first accessing the SSL VPN through a web browser or FortiClient. Once the user clicks on Single Sign-On (SSO), the authentication request is redirected to Azure AD. After authentication, the user is redirected back to the FortiGate device to establish the SSL VPN connection.
What are the five steps needed to configure FortiGate for authentication with Azure AD?
-The five steps are: 1) Configure the CLI with IDP and user group, 2) Complete Azure AD configuration, 3) Import the Azure AD certificate into FortiGate, 4) Configure the SSL VPN portal, and 5) Configure the firewall policy.
What does the admin need to do in Azure AD to prepare for the integration with FortiGate?
-The admin needs to create an Enterprise Application in Azure AD, assign users and groups, and configure the Single Sign-On (SSO) settings, including the SAML configuration. The entity ID, sign-on URL, and logout URL must be transferred to the FortiGate configuration.
What configuration is required on FortiGate for SSL VPN authentication with Azure AD?
-The administrator must configure the CLI with SSO settings, import the Azure AD certificate, configure user and group attributes, set up the SSL VPN portal, configure SSL VPN settings, and create the firewall policy.
How does the FortiGate CLI configuration help with the integration?
-The FortiGate CLI configuration is used to set up the Identity Provider (IDP), specify the user group, and configure URLs for SSO, ensuring that the FortiGate device can communicate securely with Azure AD for authentication.
What is the role of the SSL VPN portal in the FortiGate configuration?
-The SSL VPN portal is configured to enable secure remote access. It includes settings for tunnel mode, policy-based routing, source IP pool, web mode, and predefined bookmarks that are used for the user's remote access.
How does the firewall policy affect SSL VPN access?
-The firewall policy defines the security rules for traffic between the SSL VPN tunnel interface and the outgoing interface. It specifies the source user group, destination servers, and allowed services for the remote user.
What is the purpose of importing the Azure AD certificate into FortiGate?
-Importing the Azure AD certificate ensures a secure communication channel between FortiGate and Azure AD, facilitating the exchange of authentication data during the login process.
What is the significance of the user and group configuration in Azure AD?
-The user and group configuration in Azure AD ensures that the correct users and user groups are assigned and authorized for SSL VPN access. The group information is then mapped to FortiGate's CLI configuration to control access based on group membership.