FortiClient can be integrated with Active Directory so that users can use their domain username and password to connect to the FortiClient VPN.
This involves the following steps
- Create AD account
- Create Security Group
- Register LDAP server on Fortigate
- Create Firewall group
- Create Local address
- Create FortiClient VPN
- FortiClient setup on device
- Creating AD account
Create a user account in Active Directory, this created so that the FortiGate can get the required information from LDAP
This user account does not need any administrator privileges and is referenced in step 3. I would give it a complex password and set the password to never expire.
- Create security
For easier administration, I would advise that a security group be created and then users who need FortiClient access added to the security group.
Create a security group and add the users that require Forticlient access
- Register LDAP server on Fortigate
Under User & Device > LDAP servers menu, click on add.
Fill out the required fields, changing the Common Name Identifier to samAccountName. Enter the Distinguished Name of the Active Directory, select Regular as Bind type and enter the username created in step 1 for User DN
- Create Firewall Group
Go to User & Device > User Groups and create a new User group, Type Firewall
In the new User group, under Remote Group section, click on Create new. For Remote Server, select the LDAP_server created in Step 3 and then browse through the LDAP tree to the security group created in step 2, selecting the security group.
- Create Local addresses
In the FortiClient VPN to allow Split Tunnel, this is where general internet traffic goes out the remote client’s internet connection and only the mycompany related traffic goes over the FortiClient VPN, create an address for the local subnet.
Under Policy & Objects > Addresses, Create New > Address
- Create FortiClient VPN
To create VPN go to VPN > IPSec Wizard menu, fill out the required details
To see how to set DNS suffix on a FortiClient VPN go to Set DNS suffix on FortiClient VPN
- Setup FortiClient on Device
Go to FortiClient.com and download the software for your device.
Once set up, the users will be able to use their domain username and password to connect to the VPN.