FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Adryan_you
Staff
Staff
Description This article describes how to configure FortiProxy for multidomain agentless NTLM authentication
Scope FortiProxy
Solution

1) Configure LDAP on the FortiProxy as follows:

 

# config user ldap

    edit "LDAP-Kancil"

        set server <LDAP-Kancil-IP@>

        set cnid "sAMAccountName"

        set dn "dc=kancil-kvm07,dc=local"

        set username "CN=Administrator,CN=Users,DC=kancil-kvm07,DC=local"

        set password <password>

    next

    edit "LDAP-Bezza "

        set server <LDAP-Bezza-IP@>

        set cnid "sAMAccountName"

        set dn "dc=bezza-kvm53,dc=local"

        set username "CN=administrator,CN=Users,DC=bezza-kvm53,DC=local"

        set password <password>

    next

end

 

2) Create domain controller setting (via CLI only) as follows:

 

# config user domain-controller

    edit "bezza-ad"

        set ip-address <LDAP-Bezza-IP@>

        set domain-name "bezza-kvm53.local"

        set ldap-server "LDAP-Bezza "

    next

    edit "kancil-kvm"

        set ip-address <LDAP-Kancil-IP@>

        set domain-name "kancil-kvm07.local"

        set ldap-server "LDAP-Kancil"

    next

end

 

3) Create authentication scheme for each domain-controller as follows:

 

# config authentication scheme

    edit "Auth-Scheme-Bezza"

        set method ntlm

        set domain-controller "bezza-ad"

    next

    edit "Auth-Scheme-Kancil"

        set method ntlm

        set domain-controller "kancil-kvm"

    next

end

 

4) Create authentication rule for each for scheme as follows:

 

# config authentication rule

    edit "Auth-Rule-Bezza"

        set srcintf "port4"

        set srcaddr "Bezza-10.207.1.0/24"

        set active-auth-method "Auth-Scheme-Bezza"

    next

    edit "Auth-Rule-Kancil"

        set srcintf "port4"

        set srcaddr "Kancil- 10.177.1.0/24"

        set active-auth-method "Auth-Scheme-Kancil"

    next

end

 

5) Configure DNS server as follows:

 

# config system dns

    set primary x.x.x.x

    set secondary x.x.x.x

end

 

6) Create user group for both domains as follows:

 

# config user group

    edit "UserGroup-Bezza"

        set member "LDAP-Bezza"

        config match

            edit 1

                set server-name "LDAP-Bezza"

                set group-name "CN=Users,CN=Builtin,DC=bezza-kvm53,DC=local"

            next

         end

    next

    edit "UserGroup-Kancil"

        set member "LDAP-Kancil"

        config match

            edit 1

                set server-name "LDAP-Kancil"

                set group-name "CN=Users,CN=Builtin,DC=kancil-kvm07,DC=local"

            next

        end

    next

end

 

7)  Create Proxy policy as follows:

 

# config firewall policy

    edit 3

        set type explicit-web

        set name "NTLM-Auth-Test"

        set explicit-web-proxy "web-proxy"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "webproxy"

        set groups " UserGroup-Bezza" " UserGroup-Kancil"

      next

end

 

8) The following is an example to see the result of the configuration:

 

# diag wad user list

 

ID: 152, IP: 10.177.1.69, VDOM: root

  user name   : devid@kancil-kvm07.local

  worker      : 0

  duration    : 501

  auth_type   : IP

  proxy_type  : Explicit Proxy

  auth_method : NTLM

     

ID: 153, IP: 10.207.1.46, VDOM: root

  user name   : testbezza@bezza-kvm53.local

  worker      : 0

  duration    : 168

  auth_type   : IP

  proxy_type  : Explicit Proxy

  auth_method : NTLM

 

9) Execute the following command to display the traffic log:

 

# exec log filter device 0        <----- Memory log.
# exec log filter category 0      <----- Forward traffic log.
# exec log display

 

date=2022-06-22 time=18:23:08 logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1655947388 srcip=10.207.1.46 srcport=50257 srcintf="port4" srcintfrole="undefined" dstip=x.x.x.x dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=791968979 dstcountry="United States" srccountry="Reserved" service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" duration=11198 policyid=3 policytype="proxy-policy" user="testbezza@bezza-kvm53.local" group="UserGroup-Bezza" wanin=7619 rcvdbyte=7619 wanout=2325 lanin=2541 sentbyte=2541 lanout=7691 appcat="unscanned"

 

date=2022-06-22 time=18:23:08 logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1655947388 srcip=10.177.1.69 srcport=17510 srcintf="port4" srcintfrole="undefined" dstip=x.x.x.x dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=791968806 dstcountry="Singapore" srccountry="Reserved" service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" duration=301908 policyid=3 policytype="proxy-policy" user="devid@kancil-kvm07.local" group="UserGroup-Kancil" wanin=1852 rcvdbyte=1852 wanout=2844 lanin=3018 sentbyte=3018 lanout=1708 appcat="unscanned"

 

irfan_FTNT_0-1655977015528.png