Fortinet FSAE Testing the configuration, NTLM authentication

Using FSAE on your network Testing the configuration

Fortinet Server Authentication Extension Version 1.5 Technical Note

01-30005-0373-20071001 17

Optionally, you can allow guest users to access FSAE firewall policies. Guests are

users unknown to the Windows AD network and servers that do not log on to a

Windows AD domain. To allow guest access, use the FortiGate GUI or CLI to

specify a guest protection profile for your FSAE firewall policy. For example

config firewall policy

edit FSAE_policy

set fsae-guest-profile strict

end

You can specify any existing protection profile. If you prefer, you can create a

custom protection profile to assign to guest users. For more information, see the

Firewall Protection Profile chapter of the FortiGate Administration Guide.

Testing the configuration

To verify that you have correctly configured FSAE on your network and on your

FortiGate units:

1From a workstation on your network, log on to your domain using an account that

belongs to a group that is configured for authentication on the FortiGate unit.

2Try to connect to the resource that is protected by the firewall policy requiring

authentication via FSAE.

You should be able to connect to the resource without being asked for username

or password.

3Log off and then log on using an account that does not belong to a group you

have configured for authentication on the FortiGate unit.

4Try to connect to the resource that is protected by the firewall policy requiring

authentication via FSAE.

Your attempt to connect to the resource should fail.

NTLM authentication

In system configurations where it is not possible to install FSAE clients on all AD

servers, the FortiGate unit must be able to query the AD servers to find out if a

user has been properly authenticated. This is achieved using the NTLM

messaging features of Active Directory and Internet Explorer.

Understanding the NTLM authentication process

1The client (user) attempts to connect to an external HTTP resource (internet) and

issues an unauthenticated request via the FortiGate unit.

2The FortiGate is aware that this client has not authenticated previously, so

responds with a 401 Unauthenticated status code, and tells the client which

authentication method to come back with via the header:

Proxy-Authenticated: NTLM. The session is dismantled.