Using FSAE on your network

Testing the configuration

Allowing guests to access FSAE policies

Optionally, you can allow guest users to access FSAE firewall policies. Guests are users unknown to the Windows AD network and servers that do not log on to a Windows AD domain. To allow guest access, use the FortiGate GUI or CLI to specify a guest protection profile for your FSAE firewall policy. For example

config firewall policy edit FSAE_policy

set fsae-guest-profile strict

end

You can specify any existing protection profile. If you prefer, you can create a custom protection profile to assign to guest users. For more information, see the Firewall Protection Profile chapter of the FortiGate Administration Guide.

Testing the configuration

To verify that you have correctly configured FSAE on your network and on your

FortiGate units:

1From a workstation on your network, log on to your domain using an account that belongs to a group that is configured for authentication on the FortiGate unit.

2Try to connect to the resource that is protected by the firewall policy requiring authentication via FSAE.

You should be able to connect to the resource without being asked for username or password.

3Log off and then log on using an account that does not belong to a group you have configured for authentication on the FortiGate unit.

4Try to connect to the resource that is protected by the firewall policy requiring authentication via FSAE.

Your attempt to connect to the resource should fail.

NTLM authentication

In system configurations where it is not possible to install FSAE clients on all AD servers, the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated. This is achieved using the NTLM messaging features of Active Directory and Internet Explorer.

Understanding the NTLM authentication process

1The client (user) attempts to connect to an external HTTP resource (internet) and issues an unauthenticated request via the FortiGate unit.

2The FortiGate is aware that this client has not authenticated previously, so responds with a 401 Unauthenticated status code, and tells the client which authentication method to come back with via the header:

Proxy-Authenticated: NTLM. The session is dismantled.

Fortinet Server Authentication Extension Version 1.5 Technical Note

 

01-30005-0373-20071001

17

Page 16 Page 18
Page 17
Image 17
Fortinet FSAE manual Testing the configuration, Ntlm authentication, Allowing guests to access Fsae policies
Page 16 Page 18
Top Page Image Contents