Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
moby
Contributor

Explicit Proxy and NTLM

Hi All,

 

I have a scenario where I need to use the Explicit proxy and NTLM authentication. We are replacing another web proxy solution that is currently doing this. The authentication needs to be transparent and current is, so the browsers are configured to provide authentication responses already.

 

We are currently using FortiOS 5.4.

 

I have read some posts which seem to suggest that we require Fortigate/LDAP and FSSO  - -but i am confused as to why we would need an FSSO collector in this setup.

 

Would the explicit proxy not just challenge the user browser and then based on the username returned perform an LDAP query to get the user/group membership details and then check the proxy policies?

 

Is an FSSO collector required in this setup and if so why?

 

Thanks, Moby.

16 REPLIES 16
James_G
Contributor III

Can you select 'all' for testing?
moby

Hi James,

I will try that tomorrow. I also think it may be some settings on the DC that need to be changed. I tried some debug like diag debug app authd -1 and diag debug app fnbamd -1 but it didn't show anything useful.

 

Does anyone know if we can test the NTLM between the fortigate and the DC with a test command?

 

Like you can with diag test authserver ldap

 

Thanks, Moby.

moby

Hi All,

Many thanks for all of your feedback - -It is now working. I have a couple more questions that someone may be able to help with:

 

What is the authentication timeout time and method  - -can it be changed?

I want to add a second domain controller to the config - -do you just add a second one- -if so which one will the Fortigate use as primary?

 

Thanks, Moby.

James_G
Contributor III

I was thinking of trying a loobback to a load balanced virtual server, with ping health check to the real servers (the domain controllers). I use loobback vservers elsewhere on the fortigate, need to have nat enabled, but they work. Ie if your internal fgt interface is x.x.x.1 and dc are x.x.x.10 and x.x.x.11, create vservers on fgt with external ip as x.x.x.12, real servers .10 and .11, then policy with internal as both source and dest, as long as you source nat on policy to .12 it seems to work. Hope my ramble makes sense. Do that for ldap address also??
moby

Hi James,

 

Thanks for the feedback. I do get what you are saying, but it seems a bit of a complicated way of doing it. With LDAP I can just add a secondary server into the LDAP config as below:

 

edit LDAP_Server

set server 1.1.1.1

set secondary-server 1.1.1.2

 

So I am wondering if there is any similar method for "config user domain controller" or if you can add to domain controllers then which would be used and would the second be used if the first does not respond.

 

Thanks, Moby.

 

 

emnoc
Esteemed Contributor III

Moby thanks for the details.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kaleun
New Contributor

Hello Moby,

we also have problems to setup explicit proxy with ntlm and get the error message "access denied the page you requested has been blocked by a firewall policy restriction". Can you describe how you fix the problem in your case ?

 

Thanks, Kaleun.

Labels
Top Kudoed Authors