Fortinet VPN - LDAP Proxy integration
This guide explains how to configure a Fortinet VPN to use TrustBuilder Universal Proxy (LDAP) to enable multi-factor authentication (MFA) for VPN connections. The setup can be done on both Linux and Windows servers and allows granular user access control through the LDAP Proxy. We will also include validation tests (dopush) to verify that the integration.
Prerequisites
64-bit VM provisioned to support the LDAP Proxy
Configured Fortinet VPN
An LDAP server (e.g., Active Directory) for user authentication
User groups defined in the LDAP server for MFA access control
Java 8 64-bit or OpenJDK 8 64-bit
SSL certificates to secure LDAPS connections if necessary
1. Creating a connector in TrustBuilder MFA Admin console
Log in to TrustBuilder MFA Admin console.
Navigate to the Secure Sites tab.
In the right-hand column, under "API Access Certificates," click Download a new API certificate.
Fill in the certificate details:
Description: LDAP Proxy
Certificate Rights:
Authentication: Yes
Provisioning: No
Passphrase: Your certificate passphrase (it will be used in the LDAP Proxy configuration)
Format: PKCS12 (.p12)
2. Installing TrustBuilder Universal Proxy (LDAP)
On Linux
Download the Linux version:
proxy-ldap-packaging-X.Y.Z-linux64.tar.gz.Extract the archive.
Create the
config/config.propertiesfile from theconfig_to_be_completed.propertiestemplate.Complete the
config/config.propertiesfile (see configuration details below).Start the Proxy:
For the version using the system's JRE:
bin/run.shFor the version with the bundled JRE:
bin/run_standalone.sh
More details in TrustBuilder LDAP Proxy documentation.
On Windows
Download the Windows version:
proxy-ldap-packaging-X.Y.Z-win64.zip.Extract the archive.
Create the
config/config.propertiesfile from theconfig_to_be_completed.propertiestemplate.Complete the
config/config.propertiesfile (see configuration details below).Start the Proxy:
For the version using the system's JRE:
bin/run.batFor the version with the bundled JRE:
bin/run_standalone.bat
More details in TrustBuilder LDAP Proxy documentation.
LDAP Proxy Configuration File
Here is the configuration for key elements in the config.properties file:
##################################
# LDAP PROXY CONFIGURATION SECTION
##################################
# Listening IP addresses used by the LDAP proxy
# List of IP/hostnames separated by ";"
ldap.proxy.addresses=127.0.0.1; LDAP_Proxy_Server_IP
# Listening port for the LDAP proxy
ldap.proxy.port=389
###### OR ######
# Listening port for the LDAP proxy to handle LDAPS requests
ldap.proxy.ssl.port=636
# Address/hostname of the LDAP server
ldap.host=HOSTNAME or LDAP_AD_Server_IP
# LDAP server port
ldap.port=389
###### OR ######
# LDAPS server port
ldap.ssl.port=636
###### IF LDAPS #######
# Full path to the p12 certificate used by the LDAP Proxy (Client <-> LDAP Proxy)
ldap.proxy.ssl.certificate.path=C:\Program Files\LDAP-Proxy\cert\xxxxxxxx.pfx
# Secret passphrase for the LDAP certificate
ldap.proxy.ssl.certificate.passphrase=xxxxxxxxxxxxxxxxxx
######################################
# INWEBO SERVICE CONFIGURATION SECTION
######################################
# InWebo service ID
inwebo.service.id=XXXXX
# Full path to the p12 certificate associated with the InWebo service
inwebo.service.certificate.path=C:\Program Files\LDAP-Proxy\cert\xxxxxx.p12
# Secret passphrase for the InWebo certificate
inwebo.service.certificate.passphrase=xxxxxxxxxxxxxxxxxx
# LDAP attribute for the user login (will be compared with the InWebo login)
ldap.proxy.login.attribute=sAMAcountName or mail
# Condition to authenticate users with InWebo
ldap.proxy.do.step.up.by.type=all
# Whitelist of users to bypass InWebo authentication (useful for service accounts)
ldap.proxy.whitelist.dn=CN=ServiceRead_LDAP,OU=Service Accounts,DC=CONTOSO,DC=LOCAL3. Configuring Fortinet VPN
Configuring Fortinet to use TrustBuilder LDAP Proxy
Access the Fortinet administration interface and configure the LDAP integration using TrustBuilder LDAP Proxy. Specify the IP address of the server where the LDAP Proxy is installed (Linux or Windows).
In User & Authentication > LDAP Servers, add a new LDAP server and fill in the details as follows:
Name: Define a name for your LDAP server.
Server/IP Name: Enter the LDAP Proxy server IP address.
Server Port: Default is 389.
Common Name Identifier: Set according to user login attributes in AD (e.g., UID, sAMAccountName).
Distinguished Name: Specify the AD group for MFA (e.g., CN=Grp_UsersMFA,DC=CONTOSO,DC=LOCAL).
Bind Type: Regular.
Username: Username for AD searches -Must match the value set in
ldap.proxy.whitelist.dn.Password: Enter the password associated with the username.
Configuring VPN Groups
Navigate to User & Authentication > User Groups.
Create a user group for VPN connections and link it to the TrustBuilder LDAP server to enforce MFA.
Adjusting Fortinet Authentication Timeout
To avoid MFA timeout, run the following commands in Fortinet CLI:
config system global
show full-configuration | grep remoteauth
set remoteauthtimeout 60
end
The end is essential for the configuration to be applied.
Validation Tests (dopush)
Once the configuration is complete, test the LDAP Proxy for MFA with Fortinet VPN:
Push Test via Command Line: Navigate to the
/bindirectory of the LDAP Proxy and run:CODErun_standalone -doPush <login_inWebo>Replace
<login_inWebo>with the user's TrustBuilder login.VPN Connection Test with MFA: Make sure that a user from the MFA-enforced group connects to the Fortinet VPN. The user should receive a push notification via the TrustBuilder Authenticatir app and must validate it to complete authentication.
Log Validation: Change the log level in
logging.propertiesto.level=INFO, then check the LDAP Proxy logs to ensure MFA requests are being processed correctly.Whitelist User Test: Attempt to log in with a user on the whitelist. This user should bypass MFA and be able to connect without additional authentication.