Resumen del contenido incluido en la página 1
TECHNICAL NOTE
Fortinet Server Authentication
Extension
Version 1.5
www.fortinet.com
Resumen del contenido incluido en la página 2
Fortinet Server Authentication Extension Technical Note Version 1.5 01 October 2007 01-30005-0373-20071001 © Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure
Resumen del contenido incluido en la página 3
Contents Contents Using FSAE on your network............................................................ 5 FSAE overview................................................................................................... 5 Installing FSAE on your network ..................................................................... 7 Installing FSAE.............................................................................................. 7 Configuring FSAE on Windows AD ..............................
Resumen del contenido incluido en la página 4
Contents Fortinet Server Authentication Extension Version 1.5 Technical Note 4 01-30005-0373-20071001
Resumen del contenido incluido en la página 5
Using FSAE on your network FSAE overview Using FSAE on your network The Fortinet Server Authentication Extension (FSAE) provides seamless authentication of Microsoft Windows Active Directory users on FortiGate units. This chapter describes how to install and configure FSAE on your Microsoft Windows network and how to configure your FortiGate unit to authenticate users using FSAE. The following topics are included in this chapter: • FSAE overview • Installing FSAE on your network • Configuri
Resumen del contenido incluido en la página 6
FSAE overview Using FSAE on your network Figure 1: FSAE with DC agent In Figure 1, the Client User logs on to the Windows domain, information is forwarded to the FSAE Collector agent by the FSAE agent on the domain controller, and if authentication is successful, the information is then sent via the collector agent to the FortiGate unit. Figure 2: NTLM FSAE implementation In Figure 2, the Client User logs on to the Windows domain. The FortiGate unit intercepts the request, and requests infor
Resumen del contenido incluido en la página 7
Using FSAE on your network Installing FSAE on your network Installing FSAE on your network FSAE has two components that you must install on your network: • The domain controller (DC) agent, which must be installed on every domain controller • The collector agent, which must be installed on at least one domain controller The FSAE installer first installs the collector agent. You can then continue with installation of the DC agent, or install it later by going to Start > Programs > Fortinet > F
Resumen del contenido incluido en la página 8
Configuring FSAE on Windows AD Using FSAE on your network 9 Select Next and then select Install. 10 When the FSAE InstallShield Wizard completes, ensure that Launch DC Agent Install Wizard is enabled and select Finish. The FSAE - Install DC Agent wizard starts. 11 Check the Collector Agent IP address. If the Collector Agent computer has multiple network interfaces, ensure that the one that is listed is on your network. The listed Collector Agent listening port is the default. You should chan
Resumen del contenido incluido en la página 9
Using FSAE on your network Configuring FSAE on Windows AD FSAE sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate units. To avoid this problem, you can configure the FSAE collector agent to send logon information only for groups named in the FortiGate unit’s firewall policies. On each domain controller that runs a collector agent, you need to configur
Resumen del contenido incluido en la página 10
Configuring FSAE on Windows AD Using FSAE on your network To configure the FSAE collector agent 1 From the Start menu select Programs > Fortinet > Fortinet Server Authentication Extension > Configure FSAE. 2 Enter the following information and then select Save and Close. Monitoring user logon events Enable to automatically authenticate users as they log on to the Windows domain. Support NTLM authentication Enable to facilitate logon of users who are connected to a domain that does not have th
Resumen del contenido incluido en la página 11
Using FSAE on your network Configuring FSAE on Windows AD Password Enter the password that FortiGate units must use to authenticate. The maximum password length is 16 characters. The default password is “fortinetcanada”. Timers Workstation verify interval Enter the interval in minutes at which FSAE checks whether the user is still logged in. The default is every 5 minutes. If ports 139 or 445 cannot be opened on your network, set the interval to 0 to disable the check. See “Configuring TC
Resumen del contenido incluido en la página 12
Configuring FSAE on Windows AD Using FSAE on your network Note: If no filter is defined for a FortiGate unit and there is no default filter, the collector agent sends all Windows AD group and user logon events to the FortiGate unit. While this normally is not a problem, limiting the amount of data sent to the FortiGate unit improves performance by reducing the amount of memory the unit uses to store the group list. To view the FortiGate Filter List 1 From the Start menu select Programs > For
Resumen del contenido incluido en la página 13
Using FSAE on your network Configuring FSAE on Windows AD 4 Enter the following information and then select OK. Default Select to create the default filter. The default filter applies to any FortiGate unit that does not have a specific filter defined in the list. FortiGate Serial Enter the serial number of the FortiGate unit to which this filter applies. This field is not available if Default is selected. Number Description Enter a description of this FortiGate unit’s role in your network. For
Resumen del contenido incluido en la página 14
Configuring FSAE on FortiGate units Using FSAE on your network Configuring FSAE on FortiGate units To configure your FortiGate unit to operate with FSAE, you • specify the Windows AD servers that contains the FSAE collector agents • add Active Directory user groups to new or existing FortiGate user groups • create firewall policies for Windows AD Server groups • optionally, specify a guest protection profile to allow guest access Specifying your collector agents You need to configure the FortiG
Resumen del contenido incluido en la página 15
Using FSAE on your network Configuring FSAE on FortiGate units Viewing information imported from the Windows AD server You can view the domain and group information that the FortiGate unit receives from the AD Server. Go to User > Windows AD. Figure 3: List of groups from Active Directory server Edit Refresh Delete AD Server Domain Groups Create New Add a new Windows AD server. Name AD Server The name defined for the Windows AD server. Domain Domain name imported from the Windows AD server. Gro
Resumen del contenido incluido en la página 16
Configuring FSAE on FortiGate units Using FSAE on your network Figure 4: New User Group dialog box 3 In the Name box, enter a name for the group, Developers, for example. 4 From the Type list, select Active Directory. 5 From the Protection Profile list, select the required protection profile. 6 From the Available Users list, select the required Active Directory groups. Using the CTRL or SHIFT keys, you can select multiple groups. 7 Select the green right arrow button to move the selected groups
Resumen del contenido incluido en la página 17
Using FSAE on your network Testing the configuration Allowing guests to access FSAE policies Optionally, you can allow guest users to access FSAE firewall policies. Guests are users unknown to the Windows AD network and servers that do not log on to a Windows AD domain. To allow guest access, use the FortiGate GUI or CLI to specify a guest protection profile for your FSAE firewall policy. For example config firewall policy edit FSAE_policy set fsae-guest-profile strict end You can specify any
Resumen del contenido incluido en la página 18
NTLM authentication Using FSAE on your network 3 The client connects again, and issues a GET-request, with a Proxy-Authorization: NTLM header. is a base64-encoded NTLM Type 1 negotiation packet. 4 The FortiGate unit replies with a 401 “proxy auth required” status code, and a Proxy-Authenticate: NTLM (a bae64- encoded NTLM Type 2 challenge packet. In this packet is the challenge nonce, a random number chosen for this negotiation that is
Resumen del contenido incluido en la página 19
www.fortinet.com
Resumen del contenido incluido en la página 20
www.fortinet.com