Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FXE_FTNT
New Contributor II

FGT SSL VPN with Microsoft Authenticator

Hi Guys,

 

Is it possible to directly integrate the on-premise FortiGate with SSL VPN use case to my Microsoft Authenticator to be my 2FA mechanism? Or, should I use a RADIUS server like FortiAuthenticator where the FortiAuthenticator will be the integration point of my FGT, AD, and Microsoft Authenticator? Thank you.

 

Thanks

2 Solutions
ozkanaltas
Contributor III

Hello @FXE_FTNT ,

 

If you use Azure AD, you can use Microsoft Authenticator with SAML integration directly. But if you want to use Radius, you need to integrate Fortigate into NPS.

 

You can review these documents.

 

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/517582/co...

 

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
FXE_FTNT
New Contributor II

Hi @ozkanaltas , thank you so much for your help.

About the FortiGate SSL VPN app in Azure, I saw it in this tutorial and I am not sure what is the purpose of it. https://www.youtube.com/watch?v=nDH2wvveLrI

View solution in original post

11 REPLIES 11
ozkanaltas
Contributor III

Hello @FXE_FTNT ,

 

If you use Azure AD, you can use Microsoft Authenticator with SAML integration directly. But if you want to use Radius, you need to integrate Fortigate into NPS.

 

You can review these documents.

 

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/517582/co...

 

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
FXE_FTNT
New Contributor II

Hi @ozkanaltas , but will this work if my FortiGate is the hardware type?

ozkanaltas

Hi @FXE_FTNT ,

 

Yes of course.

 

The difference in FortiGate deployment types does not change anything. Because they all run the same operating system.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
FXE_FTNT
New Contributor II

Hi @ozkanaltas , I see, so basically, I just need access to Azure from my hardware-based FortiGate correct?

ozkanaltas

Hi @FXE_FTNT ,

 

If you want use saml for authentication yes, that's right. Fortigate access to Azure, it's enough. 

 

But if you want to use RADIUS for authentication. You need to install one Windows server and you need to activate the NPS feature on this server. After that, you can configure nps server and your Fortigate. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Ra...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
FXE_FTNT
New Contributor II

Hi @ozkanaltas just to clarify, if I use only the SAML method, I can also use the Microsoft MFA as the 2FA mechanism for my VPN users?

 

Also, I have been watching over some tutorials and I saw that they are installing "FortiGate SSL VPN" application in their Azure, may I know what is the purpose of it? Thank you 

ozkanaltas

hi @FXE_FTNT ,

 

Yes, you can use Microsoft MFA. Because saml works differently from other auth methods. This method uses browser authentication for your auth request. Like a login to your Outlook web app.  If you already configured 2FA for your users. Do not need to do anything on your Azure AD. Just need to integrate with your Fortigate and Azure environment. If you prefer this way, you can follow the below document.

 

https://learn.microsoft.com/tr-tr/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial

 

 

Actually, I don't understand how they installed the FortiClient SSL VPN app on their Azure. If you share this content with us, I can give comments about this.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
FXE_FTNT
New Contributor II

Hi @ozkanaltas , thank you so much for your help.

About the FortiGate SSL VPN app in Azure, I saw it in this tutorial and I am not sure what is the purpose of it. https://www.youtube.com/watch?v=nDH2wvveLrI

ozkanaltas

Hi @FXE_FTNT ,

 

I understand now the meanings of the Fortigate Application. Actually, this is not like application deployment. This is just deploying pre-configured settings on Azure SAML. 

 

Also, the FortiClient VPN Application in the video is a VPN client for clients. If you want to connect a VPN with your client you have two options Web or FortiClient. You can use both options to connect to the VPN. 

 

I think this video is a good guide for SAML integration. You can follow it. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
Labels
Top Kudoed Authors