Skip to main content
ArielZusya
ArielZusya
New Member
June 23, 2015
Question

LDAP through VPN

  • June 23, 2015
  • 2 replies
  • 10982 views

I'm new to the FortiNet world and with it to the VPN world. I just installed a FortiGate 200D in our main office to replace an old Dell Sonicwall TZ200. Rather than step lightly into the 21st century of firewalls, I jumped in with both feet and simultaneously implemented a FortiGate 60D in a remote office with an IPSec tunnel connecting the two. From the remote office I can browse the servers in the main office and I can pull DNS from the DNS server in the main office, but when I try to setup the LDAP connection on the 60D (the way I did on the 200D) I can't get it to sync up with the LDAP server at the main office (which happens to be the same server as the DNS server mentioned above). Should I be able to do this? If so, any thoughts on where I might have gone wrong and how to correct it? Thanks!

2 replies

eliesaliby
eliesaliby
New Member
July 3, 2015

We are having the same issue where our fortigate 100D unit is not able to reach the LDAP server on the other end of the VPN tunnel. Clients from inside the LAN behind the fortigate are able to reach the LDAP server but the fortigate itself is not!!

 

HELP!!

eliesaliby
eliesaliby
New Member
July 23, 2015

Hello,

 

it worked for me when i added a source-ip to the ldap server configuration (through cli)

 

jmcnutt
jmcnutt
New Member
July 23, 2015

Hi eliesaliby.  Thanks for the tip.  I'll check the FSSO setting in the CLI to see if there is a similar setting.  I didn't even think to look in the CLI.

 

James

jmcnutt
jmcnutt
New Member
July 10, 2015

Hi ArielZusya and eliesaliby.

 

I had this same issue.  Here is what I suspect:

Even though nothing is connected to the management port, traffic from the Fortigate (at least the 100D) originates from the IP address of the management port.  In the Fortigate Terminal window I could do this:

execute ping [IP ADDRESS of LDAP Server across VPN] - ping would timeout

execute ping [LOCAL WORKSTATION IP ADDRESS] - ping works

 

I changed the management IP address to something not used anywhere else in my network:

192.168.123.1 255.255.255.252

Added address objects on both sides of the VPN and added to site to site VPN group

 

On far end Fortigate added static route for 192.168.123.1/255.255.255.252 destination [Name of site to site VPN]

 

Now a ping from the Fortigate 100D to remote server works and LDAP connections to remote servers work.

 

Perhaps there is a way to change the default management port to the LAN on the 100D, but I was unable to find it.

 

I hope this helps.

 

James

Terms & ConditionsAccessibility statement