Explicit proxy authentication

Explicit proxy authentication

FortiGate supports multiple authentication methods. This topic explains using an external authentication server with Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:

Enable and configure the explicit proxy

To enable and configure explicit web proxy in the GUI:

1. Go to Network > Explicit Proxy.
2. Enable Explicit Web Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
4. Configure the remaining settings as needed.
5. Click Apply.

To enable and configure explicit web proxy in the CLI:

config web-proxy explicit set status enable set ftp-over-http enable set socks enable set http-incoming-port 8080 set ipv6-status enable

set unknown-http-version best-effort

end

config system interface edit “port2” set vdom “vdom1”

set ip 10.1.100.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet set type physical set explicit-web-proxy enable set snmp-index 12

end

next

end

Configure the authentication server and create user groups

Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.

For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security policy.

To configure an authentication server and create user groups in the GUI:

1. Configure Kerberos authentication:
   1. Go to User& Device > LDAP Servers.
   2. Click Create New.
   3. Set the following:

1. Click OK

2. Define Kerberos as an authentication service. This option is only available in the CLI.
3. Configure FSSO NTLM authentication:

FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the NTLM packets to the FSSO service for processing. a. Go to Security Fabric > Fabric Connectors.

1. Click Create New and select Fortinet Single Sign-On Agent from the SSO/Identity
2. Set the Name to FSSO, Primary FSSO Agent to 16.200.220, and enter a password. d. Click OK.

4. Create a user group for Kerberos authentication:
   1. Go to User& Device > UserGroups.
   2. Click Create New.
   3. Set the Name to Ldap-Group, and Type to Firewall.
   4. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
   5. Click OK.
5. Create a user group for NTLM authentication:
   1. Go to User& Device > UserGroups.
   2. Click Create New.
   3. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add FORTINETQA/FSSO as a member.
   4. Click OK.

To configure an authentication server and create user groups in the CLI:

1. Configure Kerberos authentication:

config user ldap edit “ldap-kerberos” set server “172.18.62.220” set cnid “cn”

set dn “dc=fortinetqa,dc=local”

set type regular

set username “CN=root,CN=Users,DC=fortinetqa,DC=local” set password ENC

6q9ZE0QNH4tp3mnL83IS/BlMob/M5jW3cAbgOqzTBsNTrGD5Adef8BZTquu46NNZ8KWoIoclAMlrGTR0z1IqT8n 7FIDV/nqWKdU0ehgwlqMvPmOW0+S2+kYMhbEj7ZgxiIRrculJIKoZ2gjqCorO3P0BkumbyIW1jAdPTOQb749n4O cEwRYuZ2odHTwWE8NJ3ejGOg== next

end

2. Define Kerberos as an authentication service:

config user krb-keytab edit “http_service” set pac-data disable

set principal “HTTP/FGT.FORTINETQA.LOCAL@FORTINETQA.LOCAL” set ldap-server “ldap-kerberos” set keytab

“BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAA

EACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAA

AEAAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEu

TE9DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAA

URkdULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BI AAAABNAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAE

G49vHEiiBghr63Z/lnwYrU=” next

end

3. Configure FSSO NTLM authentication:

config user fsso edit “1” set server “172.18.62.220” set password ENC

4e2IiorhPCYvSWw4DbthmLdpJuvIFXpayG0gk1DHZ6TYQPMLjuiG9k7/+qRneCtztBfbzRr1pcyC6Zj3det2pvW dKchMShyz67v4c7s6sIRf8GooPBRZJtg03cmPg0vd/fT1xD393hiiMecVGCHXOBHAJMkoKmPNjc3Ga/e78rWYeH uWK1lu2Bk64EXxKFt799UgBA== next

end

4. Create a user group for Kerberos authentication:

config user group edit “Ldap-Group” set member “ldap” “ldap-kerberos”

next

end

5. Create a user group for NTLM authentication:

config user group edit “NTLM-FSSO-Group” set group-type fsso-service set member “FORTINETQA/FSSO”

next end

Create an authentication scheme and rules

Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be created first, and then the authentication rule.

To create an authentication scheme and rules in the GUI:

1. Create an authentication scheme:
   1. Go to Policy & Objects > Authentication Rules.
   2. Click Create New > Authentication Schemes.
   3. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method. Click OK.
2. Create an authentication rule:
   1. Go to Policy & Objects > Authentication Rules.
   2. Click Create New > Authentication Rules.
   3. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
   4. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate e. Click OK.

To create an authentication scheme and rules in the CLI:

1. Create an authentication scheme:

config authentication scheme edit “Auth-scheme-Negotiate” set method negotiate      <<< Accepts both Kerberos and NTLM as fallback next

end

2. Create an authentication rule:

config authentication rule edit “Auth-Rule” set status enable set protocol http set srcaddr “all” set ip-based enable

set active-auth-method “Auth-scheme-Negotiate” set comments “Testing”

next

end

Create an explicit proxy policy and assign a user group to the policy

To create an explicit proxy policy and assign a user group to it in the GUI:

1. Go to Policy & Object > Proxy Policy.
2. Click Create New.
3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.
5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
6. Click OK.

To create an explicit proxy policy and assign a user group to it in the CLI:

config firewall proxy-policy edit 1 set uuid 722b6130-13aa-51e9-195b-c4196568d667 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “web” set action accept set schedule “always” set logtraffic all

set groups “NTLM-FSSO-Group” “Ldap-Group” set av-profile “av”

set ssl-ssh-profile “deep-custom”

next

end

Verify the configuration

Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose wad user list CLI command to verify:

# diagnose wad user list

ID: 8, IP: 10.1.100.71, VDOM: vdom1 user name : test1@FORTINETQA.LOCAL

duration : 389 auth_type : IP

auth_method : Negotiate

pol_id     : 1 g_id    : 1 user_based : 0

expire      : no

LAN: bytes_in=4862 bytes_out=11893 WAN: bytes_in=7844 bytes_out=1023

Log in using a system that is not part of the domain. The NTLM fallback server should be used:

# diagnose wad user list

ID: 2, IP: 10.1.100.202, VDOM: vdom1 user name : TEST31@FORTINETQA

duration   : 7 auth_type : IP auth_method : NTLM

pol_id     : 1 g_id    : 5 user_based : 0

expire      : no

LAN:

bytes_in=6156 bytes_out=16149 WAN: bytes_in=7618 bytes_out=1917