Technical Tip: Configure FortiProxy for multidomain agentless NTLM authentication
| Description | This article describes how to configure FortiProxy for multidomain agentless NTLM authentication |
| Scope | FortiProxy |
| Solution | 1) Configure LDAP on the FortiProxy as follows:
# config user ldap edit "LDAP-Kancil" set server <LDAP-Kancil-IP@> set cnid "sAMAccountName" set dn "dc=kancil-kvm07,dc=local" set username "CN=Administrator,CN=Users,DC=kancil-kvm07,DC=local" set password <password> next edit "LDAP-Bezza " set server <LDAP-Bezza-IP@> set cnid "sAMAccountName" set dn "dc=bezza-kvm53,dc=local" set username "CN=administrator,CN=Users,DC=bezza-kvm53,DC=local" set password <password> next end
2) Create domain controller setting (via CLI only) as follows:
# config user domain-controller edit "bezza-ad" set ip-address <LDAP-Bezza-IP@> set domain-name "bezza-kvm53.local" set ldap-server "LDAP-Bezza " next edit "kancil-kvm" set ip-address <LDAP-Kancil-IP@> set domain-name "kancil-kvm07.local" set ldap-server "LDAP-Kancil" next end
3) Create authentication scheme for each domain-controller as follows:
# config authentication scheme edit "Auth-Scheme-Bezza" set method ntlm set domain-controller "bezza-ad" next edit "Auth-Scheme-Kancil" set method ntlm set domain-controller "kancil-kvm" next end
4) Create authentication rule for each for scheme as follows:
# config authentication rule edit "Auth-Rule-Bezza" set srcintf "port4" set srcaddr "Bezza-10.207.1.0/24" set active-auth-method "Auth-Scheme-Bezza" next edit "Auth-Rule-Kancil" set srcintf "port4" set srcaddr "Kancil- 10.177.1.0/24" set active-auth-method "Auth-Scheme-Kancil" next end
5) Configure DNS server as follows:
# config system dns set primary x.x.x.x set secondary x.x.x.x end
6) Create user group for both domains as follows:
# config user group edit "UserGroup-Bezza" set member "LDAP-Bezza" config match edit 1 set server-name "LDAP-Bezza" set group-name "CN=Users,CN=Builtin,DC=bezza-kvm53,DC=local" next end next edit "UserGroup-Kancil" set member "LDAP-Kancil" config match edit 1 set server-name "LDAP-Kancil" set group-name "CN=Users,CN=Builtin,DC=kancil-kvm07,DC=local" next end next end
7) Create Proxy policy as follows:
# config firewall policy edit 3 set type explicit-web set name "NTLM-Auth-Test" set explicit-web-proxy "web-proxy" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set groups " UserGroup-Bezza" " UserGroup-Kancil" next end
8) The following is an example to see the result of the configuration:
# diag wad user list
ID: 152, IP: 10.177.1.69, VDOM: root user name : devid@kancil-kvm07.local worker : 0 duration : 501 auth_type : IP proxy_type : Explicit Proxy auth_method : NTLM
ID: 153, IP: 10.207.1.46, VDOM: root user name : testbezza@bezza-kvm53.local worker : 0 duration : 168 auth_type : IP proxy_type : Explicit Proxy auth_method : NTLM
9) Execute the following command to display the traffic log:
# exec log filter device 0 <----- Memory log.
date=2022-06-22 time=18:23:08 logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1655947388 srcip=10.207.1.46 srcport=50257 srcintf="port4" srcintfrole="undefined" dstip=x.x.x.x dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=791968979 dstcountry="United States" srccountry="Reserved" service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" duration=11198 policyid=3 policytype="proxy-policy" user="testbezza@bezza-kvm53.local" group="UserGroup-Bezza" wanin=7619 rcvdbyte=7619 wanout=2325 lanin=2541 sentbyte=2541 lanout=7691 appcat="unscanned"
date=2022-06-22 time=18:23:08 logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1655947388 srcip=10.177.1.69 srcport=17510 srcintf="port4" srcintfrole="undefined" dstip=x.x.x.x dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=791968806 dstcountry="Singapore" srccountry="Reserved" service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" duration=301908 policyid=3 policytype="proxy-policy" user="devid@kancil-kvm07.local" group="UserGroup-Kancil" wanin=1852 rcvdbyte=1852 wanout=2844 lanin=3018 sentbyte=3018 lanout=1708 appcat="unscanned"
 |