Hi All,
Managed to get outbound firewall authentication using Entra ID as SAML IdP to work.
My issue is this. I do not want to stay installing the Fortigate CA SSL cert on each endpoint that needs internet access, as instructed in the Fortigate's how-to site.
Was wondering if I could use Let's Encrypt SSL cert for this? Anyone know the way forward, or perhaps managed to get it working like this? I already tried using a Let's Encrypt cert pointing to my public IP in FGT and configured this in my EntraID config, but doesn't work. At a certain point, the local computer gets re-directed to the local internal IP address of the fortigate and seems to ignore the FQDN configured in EntraID and in FGT SP.
Any ideas?
Much appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello L-L,
Could you share if the SAML configuration on the FortiGate is pointing to FQDN? And two things to check: 1) Under SSLVPN Settings -> Server certificate, it is using the lets encrypt cert? 2) Under User & Authentication -> SSO, are you also referencing the lets encrypt here as well?
Hello Anthony,
SAML configuration on the FortiGate is pointing to FQDN which resolves to the Public IP address (WAN1) on the FGT itself.
I'm using FortiOS ver 7.4.5, on a FGT 60e, so SSLVPN settings is not available for me.
Under User & Authentication -> SSO, I AM referencing to the "Lets encrypt" cert.
So, after some tinkering I though to myself, if it wants to use the internal interface IP address, why not make it happy? So what I did was to enable the local DNS server on the FTG itself and create a zone with the same domain name as the ones used for the 'Let's Encrypt' cert. Like this I create a split-brain DNS. Also, to keep in mind the local-in policies which doesn't seem to allow AuthD from an external interface.
to add that to make this work you need to force the FGT to effectively make use of a FQDN for the authentication portal:
config firewall auth-portal
portal-addr "my.fqdn.com"
"my.fqdn.com" being obviously the domain used for the digital cert.
I have now another problem though.. :)
Everything works fine if the end user initiates a connection to an http site. If so, the user gets redirected to enter his MS credentials.
If a user enters an httpS web address, I get a certificate error and the MS authentication process never kicks in.
Anyone has a clue?
Thank you!
In order to redirect from a https:// request, you need to do the same as you would do with deep SSL inspection (e.g. for webfiltering).
The CA certificate used for this redirection is defined in config user setting > set auth-ca-cert.
For internal endpoints, you will handle this like you would with DPI.
For guests, no solution exists (on the assumption that distributing your private CA is not feasible). Best you can do is exclude HTTPS from redirects (simply dropping the packets = no cert error to client) and rely on clients doing plain http:// probes (which they mostly do, AFAIK).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.