Fortinet FSAE User's Manual
Contents
1. 2440044440unnnnnnennnnnnnnnnnannnnnnnnnnnnnnnnnnnnn nenn 16 To create a firewall policy for FSAE authentication en 16 Allowing guests to access FSAE poliCies ccccceceeeeeeeeeeeeeeteeeeeeeeees 17 Testing the configuration nreennsennnnennnnennnnnnnnnnnnnnnnnnnnnnnnannenennnnannenennn nennen 17 NTLM authentication nmuesnnsennnnnnnnnennnnnnnnnnnnnnn nen nnnnnnnnnnnnnnnnnnnnnnnnnn nennen 17 Understanding the NTLM authentication process 17 Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 RTINET Q RTINET A Contents Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Using FSAE on your network FSAE overview Using FSAE on your network The Fortinet Server Authentication Extension FSAE provides seamless authentication of Microsoft Windows Active Directory users on FortiGate units This chapter describes how to install and configure FSAE on your Microsoft Windows network and how to configure your FortiGate unit to authenticate users using FSAE The following topics are included in this chapter e FSAE overview e Installing FSAE on your network e Configuring FSAE on Windows AD Configuring FSAE on FortiGate units Testing the configuration e NTLM authentication FSAE overview On a Microsoft Windows network users authenticate at logon It would be inconvenient if us2. Active Directory groups Active Directory groups DOCTEST Administrators DOCTEST Cert Publishers DOCTEST Developers DOCTEST Domain Admins DOCTEST Domain Computers DOCTEST Domain Controllers DOCTEST Domain Guests DOCTEST Domain Users DOCTEST Engineering In the Name box enter a name for the group Developers for example From the Type list select Active Directory From the Protection Profile list select the required protection profile From the Available Users list select the required Active Directory groups Using the CTRL or SHIFT keys you can select multiple groups Select the green right arrow button to move the selected groups to the Members list Select OK Creating firewall policies Policies that require FSAE authentication are very similar to other firewall policies Currently only one single authentication firewall policy can be configured ifthe source interface source IP pair is the same To create a firewall policy for FSAE authentication Go to Firewall gt Policy and select Create New Enter the following information Source interface and address as required Destination interface and address as required Schedule as required Service ANY Action ACCEPT NAT as needed Select Authentication and then select Active Directory from the adjacent list Select the required user group from the Available Groups list and then select the right arrow button to move the selected group to the Allowed li
3. If it is not feasible or acceptable to open TCP port 139 or 445 you can turn off FSAE logoff detection To do this set the collector agent Workstation verify interval to 0 FSAE assumes that the logged on computer remains logged on for the duration of the collector agent Dead entry timeout interval By default this is eight hours For more information about both interval settings see Timers on page 11 in the Configuring collector agent settings section RTINET Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Q Configuring FSAE on FortiGate units Using FSAE on your network Configuring FSAE on FortiGate units To configure your FortiGate unit to operate with FSAE you specify the Windows AD servers that contains the FSAE collector agents e add Active Directory user groups to new or existing FortiGate user groups create firewall policies for Windows AD Server groups optionally specify a guest protection profile to allow guest access Specifying your collector agents You need to configure the FortiGate unit to access at least one FSAE collector agent You can specify up to five Windows AD servers on which you have installed a collector agent The FortiGate unit accesses these servers in the order that they appear in the list If a server becomes unavailable the unit accesses the next one in the list To specify collector agents 1 Go to User gt Windows AD and
4. TECHNICAL NOTE Fortinet Server Authentication Extension Version 1 5 KR ned www fortinet com Fortinet Server Authentication Extension Technical Note Version 1 5 01 October 2007 01 30005 0373 20071001 Copyright 2007 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the United States and or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Regulatory compliance FCC Class A Part 15 CSA CUS Contents Contents Using FSAE on your network uunesssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 5 ESAE OVGRVICW ssc een lassen ernten dann E A E 5 Installing FSAE on your network uuusuusnnannnnanannnnnnnnnnannnnnnnnnnnnannnnnnnnnnnnnnnnnnnnnn 7 Installin
5. to Start gt Programs gt Fortinet gt Fortinet Server Authentication Extension gt Install DC Agent The installer installs a DC agent on the domain controllers of all of the trusted domains in your network If you install the collector agent on two or more domain controllers you can create a redundant configuration on the FortiGate unit for greater reliability If the current collector agent fails the FortiGate unit switches to the next one in its list of up to five collector agents You must install FSAE using an account that has administrator privileges You can use the default Administrator account but then you must re configure FSAE each time the account password changes Fortinet recommends that you create a dedicated account with administrator privileges and a password that does not expire Installing FSAE To install FSAE you must obtain the FortiClient Setup file from the Fortinet Support web site Perform the following installation procedure on the computer that will run the Collector Agent This can be any server or domain controller that is part of your network The procedure also installs the DC Agent on all of the domain controllers in your network 1 Create an account with administrator privileges and a password that doesn t expire See Microsoft Advanced Server documentation for more information Log into the account that you created in Step 1 Double click the FSAESetup exe file The FSAE InstallShield Wizard st
6. FSAE Collector Agent Configuration Extension gt Configure FSAE IV Monitoring user logon events IV Support NTLM authentication m Domain controller monitored by this collector agent TECHDOC LAB TECHDOC AD techdoc fortinet com Global Ignore User List FortiGate Group Filter Sync Configuration IV Require authenticated connection from FortiGate Password fortinetcanada r Listening ports FortiGate 000 DC Agent 8002 Logging Log level Warming z Log file size limit MB fi 0 View Log Authentication Timers Workstation verify interval minutes fs Dead entry timeout interval minutes faso IP address change verify interval seconds feo 2 _ Enter the following information and then select Save and Close Monitoring user logon events Support NTLM authentication Domain controller monitored Global User Ignore List FortiGate Group Filter Sync Configuration Listening ports FortiGate DC Agent Logging Log level Log file size limit Authentication RTIMET Require authenticated connection from FortiGate Enable to automatically authenticate users as they log on to the Windows domain Enable to facilitate logon of users who are connected to a domain that does not have the DC Agent installed Select the domain controllers that you want to monitor for users logging on Exclude users such as system accounts that do not authenticate to any FortiG
7. ancel 4 Enter the following information and then select OK Default Select to create the default filter The default filter applies to any FortiGate unit that does not have a specific filter defined in the list FortiGate Serial Enter the serial number of the FortiGate unit to which this filter Number applies This field is not available if Default is selected Description Enter a description of this FortiGate unit s role in your network For example you could list the resources accessed through this unit This field is not available if Default is selected Monitor the following The collector agent sends the FortiGate unit user logon groups information for the Windows AD user groups in this list You edit this list using the Add Advanced and Remove buttons Add In the preceding single line field enter the Windows AD domain name and user group name in the format Domain Group and then select Add If you don t know the exact name use the Advanced button instead Advanced Select Advanced select the user groups from the list and then select Add Remove Remove the user groups selected in the monitor list Configuring TCP ports Windows AD records when users log on but not when they log off For best performance FSAE monitors when users log off To do this FSAE needs read only access to each client computer s registry over TCP port 139 or 445 At least one of these ports should be open and not blocked by firewall policies
8. arts Select Next Optionally you can change the location where FSAE is installed Select Next By default FSAE authenticates users both by monitoring logons and by accepting authentication requests using the NTLM protocol If you want to support only NTLM authentication disable the option to Monitor user logon events Ensure that the option to Serve NTLM authentication requests is enabled e If you do not want to support NTLM authentication disable the option to Serve NTLM authentication requests Ensure that the option to Monitor user logon events is enabled You can also change these options after installation Select Next and then select Install RTINET In the Password field enter the password for the account listed in the User Name field This is the account you are logged into currently Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 N Configuring FSAE on Windows AD RTINET 10 11 12 13 14 15 16 Using FSAE on your network Select Next and then select Install When the FSAE InstallShield Wizard completes ensure that Launch DC Agent Install Wizard is enabled and select Finish The FSAE Install DC Agent wizard starts Check the Collector Agent IP address If the Collector Agent computer has multiple network interfaces ensure that the one that is listed is on your network The listed Collector Agent listening port is the default Y
9. ate unit See Configuring the Global Ignore List on page 11 Configure group filtering for each FortiGate unit See Configuring FortiGate group filters on page 11 Copy this collector agent s Global Ignore List and Group Filters to the other collector agents to synchronize the configuration You are asked to confirm synchronization for each collector agent You can change port numbers if necessary TCP port for FortiGate units Default 8000 UDP port that DC Agents use Default 8002 Select the minimum severity level of logged messages Enter the maximum size for the log file in MB Select to require the FortiGate unit to authenticate before connecting to the Collector Agent Fortinet Server Authentication Extension Version 1 5 Technical Note Q 01 30005 0373 20071001 Using FSAE on your network e S Configuring FSAE on Windows AD Password Enter the password that FortiGate units must use to authenticate The maximum password length is 16 characters The default password is fortinetcanada Timers Workstation verify interval Enter the interval in minutes at which FSAE checks whether the user is still logged in The default is every 5 minutes If ports 139 or 445 cannot be opened on your network set the interval to 0 to disable the check See Configuring TCP ports on page 13 Dead entry timeout interval Enter the interval in minutes after which FSAE purges information for user logons tha
10. ect Global Ignore List Expand each domain and select the users to ignore Select Save Configuring FortiGate group filters FortiGate filters control the user logon information sent to each FortiGate unit You need to configure the list so that each FortiGate unit receives user logon information for the user groups that are named in its firewall policies The filter list is initially empty You need to configure filters for your FortiGate units using the Add function At minimum you can create a default filter that applies to all FortiGate units that do not have a specific filter defined for them Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 RTIMET Configuring FSAE on Windows AD RTINET 12 Using FSAE on your network Note If no filter is defined for a FortiGate unit and there is no default filter the collector agent sends all Windows AD group and user logon events to the FortiGate unit While this normally is not a problem limiting the amount of data sent to the FortiGate unit improves performance by reducing the amount of memory the unit uses to store the group list To view the FortiGate Filter List From the Start menu select Programs gt Fortinet gt Fortinet Server Authentication Extension gt Configure FSAE Select FortiGate Group Filter The FortiGate Filter List opens FortiGate Filter List Specify monitoring groups of FortiGates Users logon logof
11. ers then had to enter another user name and password for network access through the FortiGate unit FSAE provides authentication information to the FortiGate unit so that users automatically get access to permitted resources FortiGate units control access to resources based on user groups Through FSAE the Windows Active Directory AD groups are known to the FortiGate unit and you can include them as members of FortiGate user groups There are two mechanisms for passing user authentication information to the FortiGate unit e FSAE software installed on a domain controller monitors user logons and sends the required information directly to the FortiGate unit e using the NTLM protocol the FortiGate unit requests information from the Windows network to verify user authentication This is used where it is not possible to install FSAE on the domain controller The user must use the Internet Explorer IE browser FSAE has two components that you must install on your network The domain controller DC agent must be installed on every domain controller to monitor user logons and send information about them to the collector agent The collector agent must be installed on at least one domain controller to send the information received from the DC agents to the FortiGate unit RTINET Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 927 FSAE overview RTINET Using FSAE
12. factivities will only be sent to the FortiGate if the users belongs to its monitored groups If default filter is defined it will be used when no matching FortiGate filter is found FortiGate SN Description Monitored groups FortiGate SN The serial number of the FortiGate unit to which this filter applies Description An optional description of the role of this FortiGate unit Monitored The Windows AD user groups that are relevant to the firewall policies Groups on this FortiGate unit Add Create a new filter See To configure a FortiGate group filter on page 12 Edit Modify the filter selected in the list Remove Remove the filter selected in the list OK Save the filter list and exit Cancel Cancel changes and exit To configure a FortiGate group filter From the Start menu select Programs gt Fortinet gt Fortinet Server Authentication Extension gt Configure FSAE Select FortiGate Group Filter Select Add to create a new filter If you want to modify an existing filter select it in the list and then select Edit Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Using FSAE on your network Configuring FSAE on Windows AD FortiGate Group Filter x I Default filter FortiGate Serial Number Descripion Monitoring the following groups m Add Advanced Remove Enter the group names then click Add or click Advanced to select from the directory C
13. g ESAE a 2ER 7 Configuring FSAE on Windows AD uunssnnssnnannunnnnnnnnannnnnnnnnnnnannnnnnannnnnannnnnnann 8 Configuring Windows AD server user groups nnueesssennnnnnnnnnnnnnnnnnne nennen 9 Configuring collector agent settings 40r44440unnnennnnnnnennnnnnnnnnnnn nenn 9 To configure the FSAE collector agent u 200nsnnennnnennnnnnnnnnenn 10 Configuring the Global Ignore List 200ssn0snnnennnnnnnnnnnnnnnnnnnnn nn 11 To configure the Global Ignore LiSt ccccesececeeeeeeeeeeeeeeeeeeeeeeeeeaees 11 Configuring FortiGate group filters 2 2400nsnneennnnnnnnnnnnnnnennnnnnnnn nen 11 To view the FortiGate Filter List 440ssnnnnnnnnnnnnnnnnnnnnennn 12 To configure a FortiGate group filter sersnnennnnneenssnnennnnnnnnnnnnnn 12 Configuring TCP Portsaun nn een nn 13 Configuring FSAE on FortiGate unitSs unnsnunsesannnnnnnnnnnnnnnnnnnnnnnnnannnnnnnnnnnnn 14 Specifying your Collector agents 0 2 eeeeeeeeeeeeeceeeeeeeeeeeeaeeeeeaeeesetaeeeeeeeeeaas 14 To specify Collector agents 444s444444440Hnn nn nnnnnnnnnnnnnnnnnnnn nn nnnn nn 14 Viewing information imported from the Windows AD server 15 Creating user QrOUPS 2ensnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nn 15 To create a user group for FSAE authentication unen een 15 Creating firewall policies
14. omain Controllers Domain Guests Domain Users Engineering Enterprise Admins Group Policy Creator Owners Guests Schema Admins Users Create New Add a new Windows AD server Name AD Server The name defined for the Windows AD server Domain Domain name imported from the Windows AD server Groups The group names imported from the Windows AD server FSAE Collector IP The IP address of the Windows AD server Delete icon Delete this Windows AD server definition Edit icon Edit this Windows AD server definition Refresh icon Get user group information from the Windows AD server Creating user groups You cannot use Active Directory groups directly in FortiGate firewall policies You must add Active Directory groups to FortiGate user groups An Active Directory group should be belong to only one FortiGate user group If you assign it to multiple FortiGate user groups the FortiGate unit recognizes only the last user group assignment To create a user group for FSAE authentication Go to User gt User Group 2 _ Select Create New The New User Group dialog box opens RTIMNET Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 15 Configuring FSAE on FortiGate units RTINET O oa Aa Q 8 Using FSAE on your network Figure 4 New User Group dialog box New User Group Name Type Active Directory Protection Profile unfiltered gt Available Users Groups Members
15. on your network Figure 1 FSAE with DC agent lt Internet t l i i FSAE Collector on in Controller ronrGere Domain C a Client User FSAE Agent on Domain Controllers In Figure 1 the Client User logs on to the Windows domain information is forwarded to the FSAE Collector agent by the FSAE agent on the domain controller and if authentication is successful the information is then sent via the collector agent to the FortiGate unit Figure 2 NTLM FSAE implementation t Connection tol FSAE Collector on a Member AD Server Internet I Member AD Servers In Figure 2 the Client User logs on to the Windows domain The FortiGate unit intercepts the request and requests information about the user login details The returned values are compared to the stored values on the FortiGate unit that have been received from the domain controller Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Using FSAE on your network Installing FSAE on your network Installing FSAE on your network FSAE has two components that you must install on your network e The domain controller DC agent which must be installed on every domain controller The collector agent which must be installed on at least one domain controller The FSAE installer first installs the collector agent You can then continue with installation of the DC agent or install it later by going
16. onfigure it on both Windows AD and on the FortiGate units See the next section Configuring FSAE on Windows AD and Configuring FSAE on FortiGate units on page 14 Configuring FSAE on Windows AD On the FortiGate unit firewall policies control access to network resources based on user groups Each FortiGate user group is associated with one or more Windows AD user groups Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Using FSAE on your network Configuring FSAE on Windows AD FSAE sends information about Windows user logons to FortiGate units If there are many users on your Windows AD domains the large amount of information might affect the performance of the FortiGate units To avoid this problem you can configure the FSAE collector agent to send logon information only for groups named in the FortiGate unit s firewall policies On each domain controller that runs a collector agent you need to configure Windows AD user groups collector agent settings including the domain controllers to be monitored e the collector agent Global Ignore list e the collector agent FortiGate Group Filter for each FortiGate unit The following client server operating systems can be used Server Microsoft Windows 2000 Microsoft Windows 2003 32 bit and 64 bit Client Microsoft Windows 2000 Professional Microsoft Windows XP Professional Configuring Windows AD server user groups Fo
17. ou should change this only if the port is already used by some other service Select Next Check the list of trusted domains and select Next If any of your required domains are not listed cancel the wizard and set up the proper trusted relationship with the domain controller Then run the wizard again by going to Start gt Programs gt Fortinet gt Fortinet Server Authentication Extension gt Install DC Agent Optionally select users that you do not want the DC Agent to monitor logon status for These users will not be able to authenticate to FortiGate units using FSAE You can also do this later See Configuring FSAE on Windows AD on page 8 Select Next Optionally clear the check boxes of domain controllers on which you do not want to install the FSAE DC Agent Select Next Select Yes when the wizard requests that you reboot the computer Note If you reinstall the FSAE software on this computer your FSAE configuration is replaced with default settings If you want to create a redundant configuration repeat this procedure on at least one other domain controller Note When you start to install a second collector agent when the Install Wizard dialog appears the second time cancel it From the configuration GUI the monitored domain controller list should show your domain controllers unselected Select the ones you wish to monitor with this collector agent and click Apply Before you can use FSAE you need to c
18. oup you have configured for authentication on the FortiGate unit 4 _ Try to connect to the resource that is protected by the firewall policy requiring authentication via FSAE Your attempt to connect to the resource should fail NTLM authentication In system configurations where it is not possible to install FSAE clients on all AD servers the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated This is achieved using the NTLM messaging features of Active Directory and Internet Explorer Understanding the NTLM authentication process 1 The client user attempts to connect to an external HTTP resource internet and issues an unauthenticated request via the FortiGate unit 2 The FortiGate is aware that this client has not authenticated previously so responds with a 401 Unauthenticated status code and tells the client which authentication method to come back with via the header Proxy Authenticated NTLM The session is dismantled RTINET Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 17 NTLM authentication RTINET ur gt Using FSAE on your network The client connects again and issues a GET request with a Proxy Authorization NTLM lt negotiate string gt header lt negotiate string gt is abase64 encoded NTLM Type 1 negotiation packet The FortiGate unit replies with a401 proxy auth required s
19. rtiGate units control access at the group level All members of a group have the same network access as defined in FortiGate firewall policies You can use existing Windows AD user groups for authentication to FortiGate units if you intend that all members within each group have the same network access privileges Otherwise you need to create new user groups for this purpose If you change a user s group membership the change does not take effect until the user logs off and then logs on again FSAE sends only Domain Local Security Group and Global Security Group information to FortiGate units You cannot use Distribution group types for FortiGate access No information is sent for empty groups Refer to Microsoft documentation for information about creating groups Configuring collector agent settings You need to configure the Windows AD domain controllers to monitor the Windows AD users to ignore because they do not participate in firewall authentication on any FortiGate unit e the Windows AD group information to send to each FortiGate unit You can also alter default settings and settings you made during installation RTINET Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Configuring FSAE on Windows AD Using FSAE on your network To configure the FSAE collector agent 1 From the Start menu select Programs gt Fortinet gt Fortinet Server Authentication
20. select Create New 2 Enter the following information and select OK Name Enter a name for the Windows AD server This name appears in the list of Windows AD servers when you create user groups FSAE Collector IP Enter the following information for up to five collector agents IP Address Enter the IP address of the Windows AD server where this collector agent is installed Port Enter the TCP port used for Windows AD This must be the same as the FortiGate listening port specified in the FSAE collector agent configuration See Configuring FSAE on Windows AD on page 8 Password Enter the password for the collector agent This is required only if you configured your FSAE collector agent to require authenticated access See Configuring FSAE on Windows AD on page 8 RTIMET Fortinet Server Authentication Extension Version 1 5 Technical Note 14 01 30005 0373 20071001 Using FSAE on your network Configuring FSAE on FortiGate units Viewing information imported from the Windows AD server You can view the domain and group information that the FortiGate unit receives from the AD Server Go to User gt Windows AD Figure 3 List of groups from Active Directory server Ed i Refresh Delete Windows AD create New Name FSAE Collector IP AD Server y apserver 172 20 120 52 8000 a g amp Domain r DOCTEST Administrators Cert Publishers Developers Domain Admins Groups Domain Computers D
21. st You can select multiple groups using the CTRL or SHIFT keys Select OK Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 Using FSAE on your network Testing the configuration Allowing guests to access FSAE policies Optionally you can allow guest users to access FSAE firewall policies Guests are users unknown to the Windows AD network and servers that do not log on to a Windows AD domain To allow guest access use the FortiGate GUI or CLI to specify a guest protection profile for your FSAE firewall policy For example config firewall policy edit FSAE_policy set fsae guest profile strict end You can specify any existing protection profile If you prefer you can create a custom protection profile to assign to guest users For more information see the Firewall Protection Profile chapter of the FortiGate Administration Guide Testing the configuration To verify that you have correctly configured FSAE on your network and on your FortiGate units 1 From a workstation on your network log on to your domain using an account that belongs to a group that is configured for authentication on the FortiGate unit 2 Try to connect to the resource that is protected by the firewall policy requiring authentication via FSAE You should be able to connect to the resource without being asked for username or password 3 Log off and then log on using an account that does not belong to a gr
22. t it cannot verify The default is 480 minutes 8 hours Dead entries usually occur because the computer is unreachable in standby mode or disconnected for example but the user has not logged off You can also disable dead entry checking by setting the interval to 0 IP address change verify FSAE periodically checks the IP addresses of logged interval in users and updates the FortiGate unit when user IP addresses change This does not apply to users authenticated through NTLM Enter the verification interval in seconds IP address verification prevents users from being locked out if they change IP addresses You can enter 0 to disable the IP address check if you use static IP addresses Save amp Close Save the modified settings and exit Apply Apply changes now Default Change all settings to the default values Help View the online Help Note To view the version and build number information for your FSAE configuration click the Fortinet icon in the upper left corner of the Fortinet Collector Agent Configuration screen and select About FSAE configuration Configuring the Global Ignore List The Global Ignore List excludes users such as system accounts that do not authenticate to any FortiGate unit The logons of these users are not reported to FortiGate units To configure the Global Ignore List From the Start menu select Programs gt Fortinet gt Fortinet Server Authentication Extension gt Configure FSAE Sel
23. tatus code andaProxy Authenticate NTLM lt challenge string gt a bae64 encoded NTLM Type 2 challenge packet In this packet is the challenge nonce a random number chosen for this negotiation that is used once and prevents replay attacks Note It is vital that the TCP connection is kept alive as all subsequent authentication related information is tied to the TCP connection If it is dropped the authentication process must start again from the beginning The client sends a new GET request with a header Proxy Authenticate NTLM lt authenticate string gt where lt authenticate string gt isa NTLM Type 3 Authentication packet that contains user name and domain e the challenge nonce encoded with the client password it may contain the challenge nonce twice using different algorithms The FortiGate unit checks with the FSAE client over port 8000 to see if the authentication hash matches the one on the domain controller The FortiGate unit will deny the authentication via a 401 return code and prompt for a username and password or return an OK response and the Window s group name s for the client Unless the TCP connection is broken no further credentials are sent from the client to the proxy The FortiGate unit uses the group name s to match a protection profile for the client and establishes a temporary firewall policy that allows future traffic to pass through the FortiGate unit Note If the authentication polic
24. y reaches the authentication timeout period anew NTLM handshake occurs Fortinet Server Authentication Extension Version 1 5 Technical Note 01 30005 0373 20071001 KR new www fortinet com KR new www fortinet com
Download Pdf Manuals
Related Search