Fortinet FSAE manual Testing the configuration, Ntlm authentication

Page 17

 

 

Using FSAE on your network

Testing the configuration

Allowing guests to access FSAE policies

Optionally, you can allow guest users to access FSAE firewall policies. Guests are users unknown to the Windows AD network and servers that do not log on to a Windows AD domain. To allow guest access, use the FortiGate GUI or CLI to specify a guest protection profile for your FSAE firewall policy. For example

config firewall policy edit FSAE_policy

set fsae-guest-profile strict

end

You can specify any existing protection profile. If you prefer, you can create a custom protection profile to assign to guest users. For more information, see the Firewall Protection Profile chapter of the FortiGate Administration Guide.

Testing the configuration

To verify that you have correctly configured FSAE on your network and on your

FortiGate units:

1From a workstation on your network, log on to your domain using an account that belongs to a group that is configured for authentication on the FortiGate unit.

2Try to connect to the resource that is protected by the firewall policy requiring authentication via FSAE.

You should be able to connect to the resource without being asked for username or password.

3Log off and then log on using an account that does not belong to a group you have configured for authentication on the FortiGate unit.

4Try to connect to the resource that is protected by the firewall policy requiring authentication via FSAE.

Your attempt to connect to the resource should fail.

NTLM authentication

In system configurations where it is not possible to install FSAE clients on all AD servers, the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated. This is achieved using the NTLM messaging features of Active Directory and Internet Explorer.

Understanding the NTLM authentication process

1The client (user) attempts to connect to an external HTTP resource (internet) and issues an unauthenticated request via the FortiGate unit.

2The FortiGate is aware that this client has not authenticated previously, so responds with a 401 Unauthenticated status code, and tells the client which authentication method to come back with via the header:

Proxy-Authenticated: NTLM. The session is dismantled.

Fortinet Server Authentication Extension Version 1.5 Technical Note

 

01-30005-0373-20071001

17

Page 16 Page 18
Image 17
Page 16 Page 18
Contents C H N I C a L N O T E Regulatory compliance TrademarksContents Page Fsae overview Using Fsae on your networkFsae with DC agent Installing Fsae Installing Fsae on your networkFortinet Server Authentication Extension Install DC Agent Configuring Fsae on Windows ADConfiguring collector agent settings Configuring Windows AD server user groupsFortinet Server Authentication Extension Configure Fsae To configure the Fsae collector agentTo configure the Global Ignore List Configuring the Global Ignore ListConfiguring FortiGate group filters Groups On this FortiGate unit Add To configure a FortiGate group filterTo view the FortiGate Filter List Configuring TCP ports To specify collector agents Configuring Fsae on FortiGate unitsSpecifying your collector agents Creating user groups Viewing information imported from the Windows AD serverCreating firewall policies To create a firewall policy for Fsae authenticationNtlm authentication Testing the configurationAllowing guests to access Fsae policies Understanding the Ntlm authentication processProxy-Authorization Ntlm negotiate string header
Top Page Image Contents