FortiClient with Active Directory Integration (FortiOS 5.4)

FortiClient can be integrated with Active Directory so that users can use their domain username and password to connect to the FortiClient VPN.

This involves the following steps

  • Create AD account
  • Create Security Group
  • Register LDAP server on Fortigate
  • Create Firewall group
  • Create Local address
  • Create FortiClient VPN
  • FortiClient setup on device

 

  • Creating AD account

Create a user account in Active Directory, this created so that the FortiGate can get the required information from LDAP

This user account does not need any administrator privileges and is referenced in step 3. I would give it a complex password and set the password to never expire.

  • Create security

For easier administration, I would advise that a security group be created and then users who need FortiClient access added to the security group.

Create a security group and add the users that require Forticlient access

  • Register LDAP server on Fortigate

Under  User & Device > LDAP servers menu, click on add.

Fill out the required fields, changing the Common Name Identifier to samAccountName.  Enter the Distinguished Name of the Active Directory, select Regular as Bind type and enter the username created in step 1 for User DN

  • Create Firewall Group

Go to User & Device > User Groups and create a new User group, Type Firewall

In the new User group, under Remote Group section, click on Create new. For Remote Server, select the LDAP_server created in Step 3 and then browse through the LDAP tree to the security group created in step 2, selecting the security group.

  • Create Local addresses

In the FortiClient VPN to allow Split Tunnel, this is where general internet traffic goes out the remote client’s internet connection and only the mycompany related traffic goes over the FortiClient VPN, create an address for the local subnet.

Under Policy & Objects > Addresses, Create New > Address

 

  • Create FortiClient VPN

To create VPN go to VPN > IPSec Wizard menu, fill out the required details

 

To see how to set DNS suffix on a FortiClient VPN go to Set DNS suffix on FortiClient VPN

  • Setup FortiClient on Device

Go to FortiClient.com and download the software for your device.

Once set up, the users will be able to use their domain username and password to connect to the VPN.

Leave a Reply