Hello Community,
i am absolute newbie to Fotigate. My network configuration is as follows:
The domain controller is located at the NAS1 192.168.17.201, the domain is local.XXXX.it.
My DNS settings are as follows:
However, when I ping my domain controller with execute ping local.XXXX.it I get a response from the IP of the host of my website www.XXXX.it (courtesy page). What is wrong here?
In fact, I cannot register to the LDAP Server:
Anyone can help?
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can anyone help me?
I'm guessing you are following one of the SSO LDAP cookbooks?
Cookbook | FortiGate / FortiOS 6.2.7 | Fortinet Documentation Library
One thing I noticed - your user name for your LDAP authentication is in the NT/LANMan format of Domain\Username
This (for LDAP auth) should be in a distinguished name format.
This might help:
I have tried with cn=administrator, DC=local, DC=XXXX, DC=it and it still does not work.
Can anyone help?
You will need to setup source IPs for those functions so the fortigate knows what IP to send from.
In the case of LDAP:
config user ldap
edit 'your ldap name'
set source-ip 'your internal IP'
end
This is because the fortigate uses the interface it exits as it's source IP. The problem with this is IPSEC tunnels by default have a IP of 0.0.0.0/0.0.0.0 which means it is not returnable from the other side for fortigate generated traffic. So, you need to identify what IP the traffic should be generated with.
For example, you likely cannot exec ping to the other side of the tunnel using even IP addresses let alone DNS. You would need to first 'exec ping-options source internalipoffortigate'.
There are many places in fortigate config you need to do this, basically anything fortigate generated going over non routeable interfaces.
Edit - I may have totally misread this scenario. I saw VPN in your drawing and assumed there were IPSEC tunnels in play. Are you saying it can't contact the LDAP server even on the same network? The easy fix is to change your FortiGates DNS servers to the internal DNS server instead of 1.1.1.1. You don't gain much benefit from split/recursive DNS when everything is at the same site. Also, theres not much point in using the DNS name for the LDAP server connection, just use the IP and it brings DNS out of the equation.
Thanks a lot for the kind answer. However, I have to admit that I have understood only a small fraction of your explanation. As I said, I am a complete beginner with Fortigate.
But let's clear your PS.
brycemd wrote:
Edit - I may have totally misread this scenario. I saw VPN in your drawing and assumed there were IPSEC tunnels in play. Are you saying it can't contact the LDAP server even on the same network? The easy fix is to change your FortiGates DNS servers to the internal DNS server instead of 1.1.1.1. You don't gain much benefit from split/recursive DNS when everything is at the same site. Also, theres not much point in using the DNS name for the LDAP server connection, just use the IP and it brings DNS out of the equation.
I am connected to the Firwall through a IPSec Tunnel. I set up the firewall via VPN. My first goal is to make the firewall join the AD. The domain controller local.XXXX.it is set up on my QNAP NAS, 192.168.17.201. The next step is to join the domain via vpn tunnel.
Thanks in advance for your clarifications and possible solutions to my problem.
I think a lot of what I said doesn't even apply to your scenario, apologies for that.
The scenario is a fortigate on the same subnet as a NAS acting as AD. I hope I am correct this time.
I would simply change the DHCP scope to give out the NAS IP as DNS instead of using the fortigate as DNS unless theres a reason the NAS can't act as your full DNS server? And, change the LDAP server to use IP, 192.168.17.201, rather than the local.xxx.it DNS name.
As far as I can tell, doing those two things and getting rid of the recursive DNS setup will solve your issue.
That being said... The LDAP setting does not 'join the fortigate' to the domain. It allows, for example, you to use domain accounts to connect to a VPN.
SO here I am again. Vpn is working. DNS are ok. I have also set up the LDAP server on the Fortigate and imported a domain user into the vpnusers group on the fortigate. So the vpnusers group has now a local user and a domain user.
The problem is that I can set up a vpn connection (with forticlient) with the local user credentials but nut with the domain user credentials.
Can you help me with troubleshooting?
Anyone can help?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.