Created on 06-23-2022 02:42 AM Edited on 06-23-2022 02:46 AM By Anonymous
Description | This article describes how to configure FortiProxy for multidomain agentless NTLM authentication |
Scope | FortiProxy |
Solution |
1) Configure LDAP on the FortiProxy as follows:
# config user ldap edit "LDAP-Kancil" set server <LDAP-Kancil-IP@> set cnid "sAMAccountName" set dn "dc=kancil-kvm07,dc=local" set username "CN=Administrator,CN=Users,DC=kancil-kvm07,DC=local" set password <password> next edit "LDAP-Bezza " set server <LDAP-Bezza-IP@> set cnid "sAMAccountName" set dn "dc=bezza-kvm53,dc=local" set username "CN=administrator,CN=Users,DC=bezza-kvm53,DC=local" set password <password> next end
2) Create domain controller setting (via CLI only) as follows:
# config user domain-controller edit "bezza-ad" set ip-address <LDAP-Bezza-IP@> set domain-name "bezza-kvm53.local" set ldap-server "LDAP-Bezza " next edit "kancil-kvm" set ip-address <LDAP-Kancil-IP@> set domain-name "kancil-kvm07.local" set ldap-server "LDAP-Kancil" next end
3) Create authentication scheme for each domain-controller as follows:
# config authentication scheme edit "Auth-Scheme-Bezza" set method ntlm set domain-controller "bezza-ad" next edit "Auth-Scheme-Kancil" set method ntlm set domain-controller "kancil-kvm" next end
4) Create authentication rule for each for scheme as follows:
# config authentication rule edit "Auth-Rule-Bezza" set srcintf "port4" set srcaddr "Bezza-10.207.1.0/24" set active-auth-method "Auth-Scheme-Bezza" next edit "Auth-Rule-Kancil" set srcintf "port4" set srcaddr "Kancil- 10.177.1.0/24" set active-auth-method "Auth-Scheme-Kancil" next end
5) Configure DNS server as follows:
# config system dns set primary x.x.x.x set secondary x.x.x.x end
6) Create user group for both domains as follows:
# config user group edit "UserGroup-Bezza" set member "LDAP-Bezza" config match edit 1 set server-name "LDAP-Bezza" set group-name "CN=Users,CN=Builtin,DC=bezza-kvm53,DC=local" next end next edit "UserGroup-Kancil" set member "LDAP-Kancil" config match edit 1 set server-name "LDAP-Kancil" set group-name "CN=Users,CN=Builtin,DC=kancil-kvm07,DC=local" next end next end
7) Create Proxy policy as follows:
# config firewall policy edit 3 set type explicit-web set name "NTLM-Auth-Test" set explicit-web-proxy "web-proxy" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set groups " UserGroup-Bezza" " UserGroup-Kancil" next end
8) The following is an example to see the result of the configuration:
# diag wad user list
ID: 152, IP: 10.177.1.69, VDOM: root user name : devid@kancil-kvm07.local worker : 0 duration : 501 auth_type : IP proxy_type : Explicit Proxy auth_method : NTLM
ID: 153, IP: 10.207.1.46, VDOM: root user name : testbezza@bezza-kvm53.local worker : 0 duration : 168 auth_type : IP proxy_type : Explicit Proxy auth_method : NTLM
9) Execute the following command to display the traffic log:
# exec log filter device 0 <----- Memory log.
date=2022-06-22 time=18:23:08 logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1655947388 srcip=10.207.1.46 srcport=50257 srcintf="port4" srcintfrole="undefined" dstip=x.x.x.x dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=791968979 dstcountry="United States" srccountry="Reserved" service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" duration=11198 policyid=3 policytype="proxy-policy" user="testbezza@bezza-kvm53.local" group="UserGroup-Bezza" wanin=7619 rcvdbyte=7619 wanout=2325 lanin=2541 sentbyte=2541 lanout=7691 appcat="unscanned"
date=2022-06-22 time=18:23:08 logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1655947388 srcip=10.177.1.69 srcport=17510 srcintf="port4" srcintfrole="undefined" dstip=x.x.x.x dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=791968806 dstcountry="Singapore" srccountry="Reserved" service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" duration=301908 policyid=3 policytype="proxy-policy" user="devid@kancil-kvm07.local" group="UserGroup-Kancil" wanin=1852 rcvdbyte=1852 wanout=2844 lanin=3018 sentbyte=3018 lanout=1708 appcat="unscanned"
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.