This article describes the integration of FortiGate, FortiAuthenticator, and FortiClient. For more information on how to integrate FortiClient Endpoint Management Server (FortiClient EMS) with FortiGate, refer to the additional KB article and return here to follow the provided steps.
FortiGate and FortiClient Endpoint Management Server integration for 7.6.6 version:
-
Create an Active Directory connection. Go to FortiAuthenticator -> Authentication -> Remote Auth. Servers -> LDAP.
If the RADIUS Server is being enabled, activate Windows Active Directory Domain Authentication, as seen in the picture.
-
Import Users from Active Directory Server. Go to FortiAuthenticator -> User Management -> Remote Users. Import the users.
-
Create User Groups. Go to FortiAuthenticator -> User Management -> User Groups. Create a new User Group. Add a name, choose List of Users, and add all users participating in the Group. In this case, the ztna user is the only one.
-
Add the RADIUS attributes with the following:
Vendor: Fortinet.
Attribute ID: Fortinet-Group-Name.
Value Type: Static.
Value: VPNZTNA.
The name of VPNZTNA must match the name of the current group.
-
Check the number of members in the Group.
-
Go to FortiAuthenticator -> Authentication ->User Management -> Remote -> Users. Choose a user. In this case, the ztna user was selected.
FortiAutenticator provides 2 free tokens. Associate a mobile token with the user. Install the mobile application from Google Play. Scan the code from the FortiToken mobile app.
-
Go to FortiAuthenticator -> Certificate Management -> End Entities -> Local Services. Import the external certificate for the FQDN for FortiAuthenticator.
-
Go to FortiGate -> System -> Certificates. Import the FortiAuthenticator Certificate into the Remote Certificate.
-
Go to FortiGate -> User & Authentication -> Single Sign-> On. Configure a name and select the External name representing the ZTNA address.
Add an attribute to identify users: username.
Add an attribute used to identify groups: groups.
-
Create a SAML IdP. Go to FortiAuthenticator -> Authentication -> SAML IdP -> General. Configure:
Use the external Domain name to be accessible from the Internet. Use a certificate according to the external name.
-
Create a Realm. Go to FortiAuthenticator -> User management -> Realms.
-
Create a Service Provider. Go to FortiAuthenticator -> Authentication -> SAML Idp -> Service Provider. Add the assertion attributes:
-
Create a User Source. Go to FortiAuthenticator -> Authentication -> SAML IdP -> User Sources. Create a new source and choose the Group with access.
-
Create a User Group in FortiGate. Go to FortiGate -> Policy & Objects -> Authentication. Create a new Authentication Scheme. Choose the method SAML and the server name created in Step 10.
-
Create an Authentication Rule. Go to FortiGate -> Policy & Objects -> Authentication -> Authentication Rule. Add an Authentication rule. If there are other authentication rules, add this at the first level.
-
Create a User Group in FortiGate. Go to FortiGate -> User & Authentication -> User Groups.
Add the Remote Server ZTNA-FAC-SAML. Specify the Group VPNZTNA.
-
Create a ZTNA server in FortiGate. Go to FortiGate -> Policy & Objects -> ZTNA. Create a new server. Add the external IP address reference and the IP communication port. Select SAML and choose the SAML SSO Server created in step 10.
-
Create a new ZTNA policy to allow access to the ZTNA server. Select the external incoming interface. Choose the Groups and the ZTNA server. EMS FortiClient Tags or security profiles can be added for additional controls.
-
Check the FortiClient EMS ZTNA server destinations. Open a connection to the ZTNA destination.
-
The final destination in this example is a Remote Desktop destination. Open the RDP. Log in with the AD User and AD password. Finally, a message will ask for a Mobile Device token. Open the FortiToken App on Android and authorize access.
