Ash Roberts
SwitchITUp

SwitchITUp

FortiGate SSL VPN with Single Sign-on + MFA with Azure AD

FortiGate SSL VPN with Single Sign-on + MFA with Azure AD

Ash Roberts's photo
Ash Roberts
·Apr 28, 2022·

6 min read

Table of contents

Had a bunch of these jobs recently and there doesn't seem to be a lot of information on how to set this up, so thought it would be an ideal blog post.

Assumptions

  • You have a Valid SSL Cert created from a CSR for use with the SSL VPN setup.

  • You have a Azure Tenant and Subscription with global Administrator Access

  • Administrator Access to the FortiGate Firewall

  • Have basic knowledge on firewall configuration/rules

Objectives

  • Create the Azure enterprise application and configure the SAML/SSO settings

  • Create the SSL VPN settings on the FortiGate

  • Apply SAML/SSO settings to the FortiGate

  • Apply Firewall policy for inbound VPN traffic to LAN

  • Test connectivity

Azure Enterprise Application

Log into the Azure Portal and navigate to the following:

Azure Active directory > Enterprise Applications > New Application

We are after "FortiGate SSL VPN"

fortigateentapp.jpg

After creating the App you should be punted to the overview screen, select Setup Single sign-on button

fortigatesso.jpg

Basic SAML Configuration

From this page we can pre-provision the SAML settings that we will later put into the FortiGate. The "Basic SAML Configuration" box shows the URLS you need to enter, please note, vpn.switchitup.tech:10443 should be substituted to the subject name of the SSL cert you have applied for to be used with your SSL VPN. Also Change the port (10443) to the port you are going to configure on the FortiGate for SSL VPN connections (if Different).

basicSAMLconf.jpg

Attributes and Claims

We need to make two changes here, firstly we need to modify user.groups, secondly add Username = user.userprincipalname.

claimsandattributes.jpg

Modify user.groups:

usergroupclaim.jpg

groupclaimsetting.jpg

Add the username Attribute:

manageclaims.jpg

SAML Signing Certificate

All we need to do here is download the BASE64 certificate and save this for later as we will need to import this into the FortiGate.

signingcert.jpg

Create SSL-VPN-USERS Group

Access to the Enterprise Application will be granted to users who are members of the SSL-VPN-USERS group

I have created this group in the cloud only but if you have a hybrid setup with AD on premise with AD connect you can by all means create this on-prem and sync it up. Alternatively you may have Group writeback as part of your AD connect Sync meaning groups created in the cloud will sync back down to on-prem AD

For cloud only, navigate to:
Azure Active Directory > Groups > New Group

CreateGroup.jpg

sslvpngroup.jpg

Now we have our security group created navigate back to you FortiGate Enterprise Application and Select users and groups from the menu bar. select "Add User/Group" and add your your newly created SSL-VPN-USERS group.

usersandgroupsassignment.jpg

Conditional Access

We can use Conditional Access to further restrict access to the Enterprise Application or do other neat stuff like Force Multi-Factor Authentication (MFA). By navigating to your FortiGate Enterprise Application select Conditional Access > New Policy. We are going to create a policy called "FORCE MFA on SSL VPN".

condaccesspolicy.jpg

The next few pictures show the settings to force MFA, basically the following is evaluated: IF you are a member of "SSL-VPN-USERS" accessing FortiGate SSL VPN Enterprise Application from ANY location GRANT ACCESS but FORCE MFA

Please note if users have not got MFA setup they will be prompted to setup MFA when they first access the VPN.

assignments.jpg

cloudappactions.jpg

conitions.jpg

grant.jpg

FortiGate Certificate Configuration

Make sure you have uploaded your SSL certificate to the FortiGate we will also upload the base64 certificate we acquired from Azure Enterprise Application.

On the FortiGate Navigate to: System > Certificates > Create/Import > Remote certificate > Upload

importremotecert.jpg

The certificate will show as REMOTECERT# depending on how many other remote certs you may have and will = Microsoft Azure federated SSO Certificate:

remotecert.jpg

FortiGate SAML Configuration

The following code block shows the CLI commands we need to enter the SAML settings into the Firewall via Console.

###Create Single Sign on user with name ssl-azure-saml###
config user saml
edit "ssl-azure-saml"

###Which SSL cert to use###
set cert "vpn.switchitup.tech"

###Basic SAML configuration from enterprise Application###
set entity-id "https://vpn.switchitup.tech:10443/remote/saml/metadata"
set single-sign-on-url "https://vpn.switchitup.tech:10443/remote/saml/login"
set single-logout-url "https://vpn.switchitup.tech:10443/remote/saml/logout"

###Link Fortigate to Azure AD Tenant, box 4 of SAML page###
set idp-entity-id "https://sts.windows.net/<Azure tenant ID>/"
set idp-single-sign-on-url "https://login.microsoftonline.com/<Azure tenant ID>/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/<Azure tenant ID>/saml2"

###Remote Azure federation SSO cert we applied to the FortiGate###
set idp-cert "REMOTE_Cert_1"

###Set the attributes and claims we created###
set user-name username
set group-name group
next
end

Box 4 SAML Settings can be found on the FortiGate Enterprise Application, Single Sign-on settings pre populated with your Tenant ID:

box4SAML.jpg

After you have applied the above CLI commands to the FortiGate you can find the new user by navigating to:
User & Authentication > Single Sign-on

ssouser.jpg

Next we need to configure the user group, this is based on the group we created in Azure AD (SSL-VPN-USERS) and it will set this as a member of the SAML user/profile we created above.

config user group
edit AAD-SSL-VPN-USERS
set member ssl-azure-saml
config match
edit 1
set server-name ssl-azure-saml

###This is the Groups object ID in Azure AD###
set group-name "0d8c5dec-7a10-4e98-8991-595e10ee7c6f"
next
end
next
end

You can locate the group object id by going to the group in Azure AD (See Below)

groupobjectid.jpg

Great work, now our FortiGate and Azure AD tenant are connected and ready for single sign-on. All we need to do now is configure the actual SSL VPN settings on the firewall and apply firewall access rule for VPN users to our internal LAN. (All traffic is blocked by default on a FortiGate)

FortiGate SSL VPN Settings

The following sections presume you have experience setting up VPNs or use a FortiGate but i will cover key points:

  • Listen On interface: Usually your WAN - Internet IN line

  • Listen on Port: this is also the port referenced in the SAML URL so if yours is different make sure it reflects in the SAML/CLI config.

  • Server Certificate: Your SSL Cert with the DNS name your users will use to connect to the VPN. Make sure you have imported your SSL cert from a registrar as a CA cert in the FortiGate.

  • IP ranges = SSL-VPN-RANGE this will be a range of address the FortiGate will hand out to VPN users when they connect. you can modify this to your liking.

  • DNS - Configure to your liking

  • Autnetication/Portal Mappings: Here we add our Azure AD group we created above: AAD-SSL-VPN-USERS. It will check the user has this security group object applied for authentication. Tunnel-access = like being on the local LAN can ping and access internal resources. No portal or landing page to navigate around.

ssl settings1.jpg

sslsettings2.jpg

FortiGate firewall Rule (VPN to LAN)

Again this is a basic rule to get you started that lets VPN users access VLAN10 resources if they are members of the SSL-VPN-USERS. Make sure NAT is disabled:

On the FortiGate navigate to: Policy and Objects > firewall Policy > Create New

firewallrule.jpg

Connecting to the VPN with FortiClient

FortiClient is used to connect to the VPN on the FortiGate. The following are my settings, but you should configure the REMOTE GATEWAY and PORT to whatever you configuration reflects.

forticlientsettings.jpg

on login you should be forced through to Microsoft Sign in. If you haven't got MFA setup on your account it will now prompt you to set this up. You may have to reconnect due to timeout in this situation while you setup MFA. All being well and you fit the Conditional Access policy and you are a member of the VPN-SSL-USER group it will sign you into the VPN and you can then reach internal resources.

So there we have it, SSL VPN connectivity with our FortiGate with SSO and MFA provided by our Azure Active Directory account.

 
Share this