Fortinet black logo

FortiProxy Authentication Guide

Home FortiProxy 2.0.2 FortiProxy Authentication Guide
2.0.2
7.4.0
7.2.0
2.0.2

Using the FSSO polling mode (agentless)

Using the FSSO polling mode (agentless)

You can use Fortinet single sign-on (FSSO) in polling mode to allow users to log in to the network once with their Windows Active Directory (AD) credentials and seamlessly access all appropriate network resources.

Step 1: Configure the FSSO active directory server for polling mode

config user fsso-polling

edit <id>

set server <LDAP_server_IPv4_address>

set user <user_name>

set password <password>

set ldap-server <LDAP_server_name>

config adgrp

edit "<LDAP_group_name>"

next

end

next

end

For example:

config user fsso-polling

edit 2

set server "10.1.1.204"

set user "fpxqa"

set password ENC UZ51IPmkCavcJ2o3nUiRhcLLMLCYB/pm0tujC8XE+hDpVNyI7jWQqeae55GMzsiPWTwQUMP8AHIXg1BakXXUf0y1UM+YcCRzW7BzAK4xq5B4IWA6L19jxeAWoVSk6L3y+dyF+uHTpNJlPbIR7IKVn18Eq3xySljlE71ySZNQZnxyR+AK4l+LknobHdoT8YoXDWITpA==

set ldap-server "fpxlab3"

config adgrp

edit "CN=Domain Users,CN=Users,DC=FPXLAB3,DC=local"

next

end

next

end

Step 2: Create the FSSO user group

config user group

edit <user_group_name>

set group-type fsso-service

set member "<list_of_user_group_members>"

next

end

For example:

config user group

edit "fsso_winsrv3"

set group-type fsso-service

set member "CN=Domain Users,CN=Users,DC=FPXLAB3,DC=local"

next

end

Step 3: Create an authentication scheme

config authentication scheme

edit <authentication_scheme_name>

set method fsso

next

end

For example:

config authentication scheme

edit "fsso"

set method fsso

next

end

Step 4: Create an authentication rule

config authentication rule

edit <authentication_rule_name>

set srcintf <list_of_incoming_interfaces>

set srcaddr <IPv4_addresses | all | none>

set dstaddr <IPv4_addresses | all | none>

set sso-auth-method <authentication_scheme_name>

next

end

For example:

config authentication rule

edit "fsso"

set srcintf "any"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set sso-auth-method "fsso"

next

end

Step 5: Create a firewall policy

config firewall policy

edit <policy_identifier>

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf <list_of_incoming_interfaces>

set srcaddr <IPv4_addresses | all | none>

set dstaddr <IPv4_addresses | all | none>

set action accept

set schedule "always"

set service "webproxy"

set groups <user_group_name>

set utm-status enable

next

end

For example:

config firewall policy

edit 1

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set webcache enable

set groups "fsso_winsrv3"

set utm-status enable

next

end

Step 6: Verify that the user was authenticated

diagnose wad user list

Previous
Next

Using the FSSO polling mode (agentless)

You can use Fortinet single sign-on (FSSO) in polling mode to allow users to log in to the network once with their Windows Active Directory (AD) credentials and seamlessly access all appropriate network resources.

Step 1: Configure the FSSO active directory server for polling mode

config user fsso-polling

edit <id>

set server <LDAP_server_IPv4_address>

set user <user_name>

set password <password>

set ldap-server <LDAP_server_name>

config adgrp

edit "<LDAP_group_name>"

next

end

next

end

For example:

config user fsso-polling

edit 2

set server "10.1.1.204"

set user "fpxqa"

set password ENC UZ51IPmkCavcJ2o3nUiRhcLLMLCYB/pm0tujC8XE+hDpVNyI7jWQqeae55GMzsiPWTwQUMP8AHIXg1BakXXUf0y1UM+YcCRzW7BzAK4xq5B4IWA6L19jxeAWoVSk6L3y+dyF+uHTpNJlPbIR7IKVn18Eq3xySljlE71ySZNQZnxyR+AK4l+LknobHdoT8YoXDWITpA==

set ldap-server "fpxlab3"

config adgrp

edit "CN=Domain Users,CN=Users,DC=FPXLAB3,DC=local"

next

end

next

end

Step 2: Create the FSSO user group

config user group

edit <user_group_name>

set group-type fsso-service

set member "<list_of_user_group_members>"

next

end

For example:

config user group

edit "fsso_winsrv3"

set group-type fsso-service

set member "CN=Domain Users,CN=Users,DC=FPXLAB3,DC=local"

next

end

Step 3: Create an authentication scheme

config authentication scheme

edit <authentication_scheme_name>

set method fsso

next

end

For example:

config authentication scheme

edit "fsso"

set method fsso

next

end

Step 4: Create an authentication rule

config authentication rule

edit <authentication_rule_name>

set srcintf <list_of_incoming_interfaces>

set srcaddr <IPv4_addresses | all | none>

set dstaddr <IPv4_addresses | all | none>

set sso-auth-method <authentication_scheme_name>

next

end

For example:

config authentication rule

edit "fsso"

set srcintf "any"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set sso-auth-method "fsso"

next

end

Step 5: Create a firewall policy

config firewall policy

edit <policy_identifier>

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf <list_of_incoming_interfaces>

set srcaddr <IPv4_addresses | all | none>

set dstaddr <IPv4_addresses | all | none>

set action accept

set schedule "always"

set service "webproxy"

set groups <user_group_name>

set utm-status enable

next

end

For example:

config firewall policy

edit 1

set type explicit-web

set explicit-web-proxy "web-proxy"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set webcache enable

set groups "fsso_winsrv3"

set utm-status enable

next

end

Step 6: Verify that the user was authenticated

diagnose wad user list

Previous
Next