Table of contents
- Azure Enterprise Application
- Basic SAML Configuration
- Attributes and Claims
- SAML Signing Certificate
- Create SSL-VPN-USERS Group
- Conditional Access
- FortiGate Certificate Configuration
- FortiGate SAML Configuration
- FortiGate SSL VPN Settings
- FortiGate firewall Rule (VPN to LAN)
- Connecting to the VPN with FortiClient
Had a bunch of these jobs recently and there doesn't seem to be a lot of information on how to set this up, so thought it would be an ideal blog post.
You have a Valid SSL Cert created from a CSR for use with the SSL VPN setup.
You have a Azure Tenant and Subscription with global Administrator Access
Administrator Access to the FortiGate Firewall
Have basic knowledge on firewall configuration/rules
Create the Azure enterprise application and configure the SAML/SSO settings
Create the SSL VPN settings on the FortiGate
Apply SAML/SSO settings to the FortiGate
Apply Firewall policy for inbound VPN traffic to LAN
Azure Enterprise Application
Log into the Azure Portal and navigate to the following:
Azure Active directory > Enterprise Applications > New Application
We are after "FortiGate SSL VPN"
After creating the App you should be punted to the overview screen, select Setup Single sign-on button
Basic SAML Configuration
From this page we can pre-provision the SAML settings that we will later put into the FortiGate. The "Basic SAML Configuration" box shows the URLS you need to enter, please note, vpn.switchitup.tech:10443 should be substituted to the subject name of the SSL cert you have applied for to be used with your SSL VPN. Also Change the port (10443) to the port you are going to configure on the FortiGate for SSL VPN connections (if Different).
Attributes and Claims
We need to make two changes here, firstly we need to modify user.groups, secondly add Username = user.userprincipalname.
Add the username Attribute:
SAML Signing Certificate
All we need to do here is download the BASE64 certificate and save this for later as we will need to import this into the FortiGate.
Create SSL-VPN-USERS Group
Access to the Enterprise Application will be granted to users who are members of the SSL-VPN-USERS group
I have created this group in the cloud only but if you have a hybrid setup with AD on premise with AD connect you can by all means create this on-prem and sync it up. Alternatively you may have Group writeback as part of your AD connect Sync meaning groups created in the cloud will sync back down to on-prem AD
For cloud only, navigate to:
Azure Active Directory > Groups > New Group
Now we have our security group created navigate back to you FortiGate Enterprise Application and Select users and groups from the menu bar. select "Add User/Group" and add your your newly created SSL-VPN-USERS group.
We can use Conditional Access to further restrict access to the Enterprise Application or do other neat stuff like Force Multi-Factor Authentication (MFA). By navigating to your FortiGate Enterprise Application select Conditional Access > New Policy. We are going to create a policy called "FORCE MFA on SSL VPN".
The next few pictures show the settings to force MFA, basically the following is evaluated: IF you are a member of "SSL-VPN-USERS" accessing FortiGate SSL VPN Enterprise Application from ANY location GRANT ACCESS but FORCE MFA
Please note if users have not got MFA setup they will be prompted to setup MFA when they first access the VPN.
FortiGate Certificate Configuration
Make sure you have uploaded your SSL certificate to the FortiGate we will also upload the base64 certificate we acquired from Azure Enterprise Application.
On the FortiGate Navigate to: System > Certificates > Create/Import > Remote certificate > Upload
The certificate will show as REMOTECERT# depending on how many other remote certs you may have and will = Microsoft Azure federated SSO Certificate:
FortiGate SAML Configuration
The following code block shows the CLI commands we need to enter the SAML settings into the Firewall via Console.
###Create Single Sign on user with name ssl-azure-saml### config user saml edit "ssl-azure-saml" ###Which SSL cert to use### set cert "vpn.switchitup.tech" ###Basic SAML configuration from enterprise Application### set entity-id "https://vpn.switchitup.tech:10443/remote/saml/metadata" set single-sign-on-url "https://vpn.switchitup.tech:10443/remote/saml/login" set single-logout-url "https://vpn.switchitup.tech:10443/remote/saml/logout" ###Link Fortigate to Azure AD Tenant, box 4 of SAML page### set idp-entity-id "https://sts.windows.net/<Azure tenant ID>/" set idp-single-sign-on-url "https://login.microsoftonline.com/<Azure tenant ID>/saml2" set idp-single-logout-url "https://login.microsoftonline.com/<Azure tenant ID>/saml2" ###Remote Azure federation SSO cert we applied to the FortiGate### set idp-cert "REMOTE_Cert_1" ###Set the attributes and claims we created### set user-name username set group-name group next end
Box 4 SAML Settings can be found on the FortiGate Enterprise Application, Single Sign-on settings pre populated with your Tenant ID:
After you have applied the above CLI commands to the FortiGate you can find the new user by navigating to:
User & Authentication > Single Sign-on
Next we need to configure the user group, this is based on the group we created in Azure AD (SSL-VPN-USERS) and it will set this as a member of the SAML user/profile we created above.
config user group edit AAD-SSL-VPN-USERS set member ssl-azure-saml config match edit 1 set server-name ssl-azure-saml ###This is the Groups object ID in Azure AD### set group-name "0d8c5dec-7a10-4e98-8991-595e10ee7c6f" next end next end
You can locate the group object id by going to the group in Azure AD (See Below)
Great work, now our FortiGate and Azure AD tenant are connected and ready for single sign-on. All we need to do now is configure the actual SSL VPN settings on the firewall and apply firewall access rule for VPN users to our internal LAN. (All traffic is blocked by default on a FortiGate)
FortiGate SSL VPN Settings
The following sections presume you have experience setting up VPNs or use a FortiGate but i will cover key points:
Listen On interface: Usually your WAN - Internet IN line
Listen on Port: this is also the port referenced in the SAML URL so if yours is different make sure it reflects in the SAML/CLI config.
Server Certificate: Your SSL Cert with the DNS name your users will use to connect to the VPN. Make sure you have imported your SSL cert from a registrar as a CA cert in the FortiGate.
IP ranges = SSL-VPN-RANGE this will be a range of address the FortiGate will hand out to VPN users when they connect. you can modify this to your liking.
DNS - Configure to your liking
Autnetication/Portal Mappings: Here we add our Azure AD group we created above: AAD-SSL-VPN-USERS. It will check the user has this security group object applied for authentication. Tunnel-access = like being on the local LAN can ping and access internal resources. No portal or landing page to navigate around.
FortiGate firewall Rule (VPN to LAN)
Again this is a basic rule to get you started that lets VPN users access VLAN10 resources if they are members of the SSL-VPN-USERS. Make sure NAT is disabled:
On the FortiGate navigate to: Policy and Objects > firewall Policy > Create New
Connecting to the VPN with FortiClient
FortiClient is used to connect to the VPN on the FortiGate. The following are my settings, but you should configure the REMOTE GATEWAY and PORT to whatever you configuration reflects.
on login you should be forced through to Microsoft Sign in. If you haven't got MFA setup on your account it will now prompt you to set this up. You may have to reconnect due to timeout in this situation while you setup MFA. All being well and you fit the Conditional Access policy and you are a member of the VPN-SSL-USER group it will sign you into the VPN and you can then reach internal resources.
So there we have it, SSL VPN connectivity with our FortiGate with SSO and MFA provided by our Azure Active Directory account.