Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎01-01-2024 11:19 PM Edited on ‎01-02-2024 07:10 AM

Article Id 291776

Troubleshooting Tip: Unable to connect to SSL VPN using Azure Auto Connect after FortiOS firmware upgrade to v7.4.2

Description

 

This article describes the new settings required for SSL VPN Azure AD Auto Connect when FortiGate is running v7.4.2 or higher.


Starting with v7.2.1, Azure AD domain joined machines are capable of automatically connecting to an SSL VPN tunnel as per the document below:

Autoconnect for SSLVPN on logging in as an Entra ID user 

Starting with FortiClient v7.2.3 and v7.4.2, the Auto-Connect for AZURE AD domain joined machines can be leveraged for IPsec Remote Access tunnels as per the documents below:
Autoconnect for IPsec VPN on logging in as an Entra ID user 

Support autoconnect to IPsec VPN using Entra ID logon session information 

 

However, because of the IPsec implementation, the settings below used for the SSL VPN Auto-Connect feature were removed.

 

config user saml

edit "azure_saml"

set auth-url "https://graph.microsoft.com/v1.0/me"

next

end

 

Without this setting in place in v7.4.2, users would fail to authenticate using the Auto-Connect feature using Entra ID login session information.

 

Scope

 

FortiGate v7.4.2+, Azure AD joined machines, Azure Auto Connect

 

Solution

 

To resolve the issue, the settings below must be configured in FortiGate. There are no other changes required in FortiClient:

 

config user external-identity-provider

edit "azure"

set type ms-graph
set version v1.0

next

end

 

The next step will be to assign this newly created external-identity-provider to the existing user group as in the example below.


Note:
This must be done via CLI as it is currently not supported by GUI.

config user group

    edit "SAML-AZURE-Escalations-AUTO"

        set member "azure"

            config match

                edit 1

                    set server-name "azure"

                    set group-name "d4829628-fd49-4e6b-8d9d-85ef5d180447"

                next

            end

        next

    end

 

Note:

To have users connecting via both Auto-Connect with Entra ID login session information and SAML with manually input credentials, then append the external-identity-provider to the existing group as per the example below, where 'azure-saml-sslvpn' is the existing SAML server configured in FortiGate.

 

config user group

    edit "SAML-AZURE-Escalations-AUTO"

        set member "azure" "azure-saml-sslvpn"

            config match

                edit 1

                    set server-name "azure"

                    set group-name "d4829628-fd49-4e6b-8d9d-85ef5d180447"

                next

                    edit 2

                        set server-name "azure-saml-sslvpn"

                        set group-name "d4829628-fd49-4e6b-8d9d-85ef5d180447"

                    next

                end

            next

            end

Configuration from FortiClient EMS remains unchanged as per the example below.

 

saml-auto-1.png

 

saml-auto-connect-2.png

823
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.