SSLVPN over LDAPS with self-signed Certificate on Windows Server

Fortinet Logo
Reading Time: 3 minutes

Many customers asked me to deploy an SSLVPN base environment not just for let the users connect to the office network but even as a tool for changing users domain passwords. Usuallu they don’t have a CA environment already deployed so we will use self-signed cert on Domain Controllers.

Scenario:
1) Active Directory
2) Fortigate

First of all we have to generate a self-signed cert on each Domain Controllers we want to use for authentication running the following commands.

$20years = (Get-Date).AddYears(20)
New-SelfSignedCertificate -dnsname <Server Name> -notafter $20years -CertStoreLocation cert:\LocalMachine\My


After that we have to open certml.msc

Under Personal -> Certificate you’ll see the previuosly generated cert


You have to copy and paste it unger Trusted Certification Authorities.
After that you can check that your Domain Controller is listening on port 636 (LDAPS).
An usefull tool is ldp.exe located in C:\Windows\System32
Click on Connection -> Connect

Insert the FQDN of the Domain Controler on which you want to test the connection.



Remember to select Port 636 and SSL connection.
You should obtain something as follow


You can even try a bind


And you’ll get something as follow


Now your Domain Controlles is ready to accept LDAPS connections.

Next step is to configure Fortigate to use LDAPS.
Log-In on your appliance and go throught Users & Device -> LDAP Servers.


In the Username filed you have to input an user with Domain Admins permission.
Click on Test Connectivity and if everything is configured correctly you have a Successful message.
Be careful about Common Name Identifier you are using. IF you use CN, as in the example, the have to log in with the SSLVPN client with Common Nane, otherwise if you want to log-in with username you have to use sAMAccountName .
On fortigate now we have to define a group associated to the active directory that has been defined.
Go to User & Device -> User Groups -> Create New


In this document we’ll don’t take care about the SSLVPN configuration and policy but you can follow this Fortinet KB: https://cookbook.fortinet.com/ssl-vpn-remote-browsing-using-ldap-authentication-fortiauthenticator/index.html

The last but not the least is to connect with SSH protocol to Fortigate Unit and run this couple of commands.

config user ldap
edit server-name
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}

The lastest Step is to try to that it works.
Below a useful powershell script to set password expiration to now.

#Bind to user object in AD.
$User = [ADSI]"LDAP://CN=test,OU=Cons,OU=User,OU=Eng,DC=test,DC=it"
#Expire password immediately.
$User.pwdLastSet = 0
#Save change in AD.
$User.SetInfo()


Check Out koodzo.com!