We are going to create a policy called "FORCE MFA on SSL VPN". By navigating to your FortiGate Enterprise Application select Conditional Access > New Policy.
We can use Conditional Access to further restrict access to the Enterprise Application or do other neat stuff like Force Multi-Factor Authentication (MFA). select "Add User/Group" and add your your newly created SSL-VPN-USERS group. Now we have our security group created navigate back to you FortiGate Enterprise Application and Select users and groups from the menu bar. Alternatively you may have Group writeback as part of your AD connect Sync meaning groups created in the cloud will sync back down to on-prem ADĪzure Active Directory > Groups > New Group I have created this group in the cloud only but if you have a hybrid setup with AD on premise with AD connect you can by all means create this on-prem and sync it up. We need to make two changes here, firstly we need to modify oups, secondly add Username = erprincipalname.Īll we need to do here is download the BASE64 certificate and save this for later as we will need to import this into the FortiGate.Īccess to the Enterprise Application will be granted to users who are members of the SSL-VPN-USERS group Also Change the port (10443) to the port you are going to configure on the FortiGate for SSL VPN connections (if Different). The "Basic SAML Configuration" box shows the URLS you need to enter, please note, :10443 should be substituted to the subject name of the SSL cert you have applied for to be used with your SSL VPN. Log into the Azure Portal and navigate to the following:Īzure Active directory > Enterprise Applications > New ApplicationĪfter creating the App you should be punted to the overview screen, select Setup Single sign-on buttonįrom this page we can pre-provision the SAML settings that we will later put into the FortiGate. Have basic knowledge on firewall configuration/rulesĬreate the Azure enterprise application and configure the SAML/SSO settingsĬreate the SSL VPN settings on the FortiGateĪpply Firewall policy for inbound VPN traffic to LAN
You have a Azure Tenant and Subscription with global Administrator AccessĪdministrator Access to the FortiGate Firewall You have a Valid SSL Cert created from a CSR for use with the SSL VPN setup. Had a bunch of these jobs recently and there doesn't seem to be a lot of information on how to set this up, so thought it would be an ideal blog post.
0 kommentar(er)
