Great vid. Question for authentication, do you have to use the authentication app or is there a way to setup user's to use calling or text as an option as well?
@@mattsherif9141 I have a question, maybe you can help answer. I'd like to provide a subset of users with a unique SSL-VPN portal. I assume that I need a way to identify the Azure groups so that I can match them to a local user group, and set the SSL VPN portal mappings. I just don't know how to get the Azure group name over to the FW so I can do the local group match on the Fortigate. Any help would be appreciated.
@@runninl8 yes - you'll need to create an assertion on the Azure side that sends the groups the user is a member of, and then filter based on group on the FortiGate.
Great Video ! we were getting token codes before but since the implementation of 2MFA when I connected with forticlient for the first time it asked me for approval on MS authenticator but everytime after that it connects to Forti without any kind of approval because I am selecting check box"do not ask me for 30 days" unless I clear cookies from CMD .Though the script we have requires it to clear cookies automatically on every disconnct but this has not helped me with my user name specifically . any ideas on that ?
Thanks for watching, that’s a setting you’ll have to manage in Azure AD if it’s at all available, all the FortiGate is going is saying “go to Azure AD, authenticate, if you’re good they’ll let me know and I’ll let you in” so the FortiGate cannot dictate MFA, in this case your SAML IdP will.
in: set signe-sign-on-url i needed to set the value without "/saml/". Meaning FQDN/remote/login. The one with saml was redirecting to non existing page.
"Hello! Great video. I have a question: if you have multiple VPN connections, is it necessary to create a separate enterprise application for each IP address? Also, should I upload a different certificate for each one, depending on the VPN that the client chooses to connect with?
This is where DNS is going to be your friend, if you have some sort of service like AWS route 53, or Azure DNS, that point vpn.mydomain.local (fictional - .local isn't a usable TLD) you could have them monitor both IPs, and either load balance or assign primary and secondary. In this case you could just use the dns record as the base URL. So if one of your links goes down, your DNS service detects it and just "resolves" all new queries to the valid IP
It might if you use the same authentication realm, if you want to use RADIUS along side SAML, I would advise you set up a new realm for SAML. www.ultraviolet.network/post/ssl-vpn-realms
@@flaviob829 When you used a separate realm for SAML clients, did you have to adjust your identifier/reply/sign-on URLs in Azure to include the new realm in the URL?
Awesome video! Thank you! Does the FortiClient pass the "Azure AD Join" or "Azure AD Hybrid-Join" status through to Azure AD? If the machine is joined, you would be able to see this in the Azure AD Sign-in logs. If it does, I'm curious if we can require only "Hybrid-join" instead of (or in addition to) MFA.
Thanks for the video. I had this working a few months ago using this doc docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial and then it stopped working. It was not in production so I left it aside till now. I saw that the idp-single-logout-url was changed on the Azure app. It used to be login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 and now it is the same as the idp-snigle-sign-on-url. One question. Is there a way to push the logon credentials to the SAML Sign On and require only the MFA to grant access?
thanks for the video, can this be used too send back different user-groups from Azure AD that can then be used in policies or to assign different vpn portals depending on ad group membership?
I suppose you could, not sure what overlapping access could look like though. As long as your SAML IdP can pass back the "group-name" field, you should be fine.
Incredible video mate! Hope your doing well. I was able to follow the guide without any big issues. Completed the tutorial and im able to get the fortinet login page but the authenticator doesnt prompt. Any advise would be super appreciated! Thanks again Matt
Great work! I got an issue when I click SAML in the forticlient VPN, it redirects to http invalid request page, then go to fortigate username login page. Any idea why got this issue? Thanks in advance
Hey man i managed to configure until the point that it asks for the 365 account and connects straight to VPN, but it doesnt require the 2-FA. Could you please help woth some tips? i would really appreciate it, I have a Fortigate 100E. The Azure configs were done by the HO Manager on other country, i asked if the 2FA was enabled on their side and they said yes, now i just have no clue of what could be missing.
Thanks a lot, I got it working but I just have one issue. When the Microsoft login shows up, I only have 10 seconds to login and it would close off saying error timed out. However, if i'm fast enough, I'm able to login just fine.
Thanks for watching! I thought I covered that in the video, my apologies! if you go to: config system global set remoteauthtimeout 30 # or 60, whichever works for you end This should take care of it for you. Thing is, the default remoteauthtimeout is defaults to 5 seconds, which is why you have to be FAST!
Yo, great video. I'm running a 1800F cluster and am trying this for the first time. BUT im running FW 6.2.5, do you know if it is a requirement to run 6.4 and above? i cant find any information on it. My issue is that as soon as i login and get the authenticator message, it logs me out immediately
Yes. You need to be running 6.4.0 or above. Sorry I know it's not what you want. The tunnel WILL come up on 6.2 but it will not pass traffic, it's not really a supported use case on 6.2.
@@mattsherif9141 Well well have i got news for you pal. I've made it work in 6.2.5 just fine, VPN tunnel works. I can connect to resources, even the bookmarks work on the Web Portal
@@E4gleDk I have come across it working on 6.2 as well, performance is not so great. Also, it’s still unsupported on 6.2, and performance is better on 6.4.
@Terje Drevvatne Hey, No i dont recall me changing anything regarding the config. i Didnt touch the realm parts of it though, no need for that if you're not going to use it. What issues are you facing?
Great vid. Question for authentication, do you have to use the authentication app or is there a way to setup user's to use calling or text as an option as well?
Yes - thats up to you how you set that in Entra (Azure AD).
Great tutorial Matt !! Saved me a lot of headaches !
Thanks for watching! Glad I could help.
Awesome video, really helped out a lot. thank you!
Glad it was helpful, thank you for watching!
@@mattsherif9141 I have a question, maybe you can help answer. I'd like to provide a subset of users with a unique SSL-VPN portal. I assume that I need a way to identify the Azure groups so that I can match them to a local user group, and set the SSL VPN portal mappings. I just don't know how to get the Azure group name over to the FW so I can do the local group match on the Fortigate.
Any help would be appreciated.
@@runninl8 yes - you'll need to create an assertion on the Azure side that sends the groups the user is a member of, and then filter based on group on the FortiGate.
Great Video ! we were getting token codes before but since the implementation of 2MFA when I connected with forticlient for the first time it asked me for approval on MS authenticator but everytime after that it connects to Forti without any kind of approval because I am selecting check box"do not ask me for 30 days" unless I clear cookies from CMD .Though the script we have requires it to clear cookies automatically on every disconnct but this has not helped me with my user name specifically . any ideas on that ?
Great tuto ! Can we enable the MFA to be triggered every time the user disconnect and connect again to the client VPN?
Thanks for watching, that’s a setting you’ll have to manage in Azure AD if it’s at all available, all the FortiGate is going is saying “go to Azure AD, authenticate, if you’re good they’ll let me know and I’ll let you in” so the FortiGate cannot dictate MFA, in this case your SAML IdP will.
in: set signe-sign-on-url i needed to set the value without "/saml/". Meaning FQDN/remote/login. The one with saml was redirecting to non existing page.
"Hello! Great video. I have a question: if you have multiple VPN connections, is it necessary to create a separate enterprise application for each IP address? Also, should I upload a different certificate for each one, depending on the VPN that the client chooses to connect with?
This is where DNS is going to be your friend, if you have some sort of service like AWS route 53, or Azure DNS, that point vpn.mydomain.local (fictional - .local isn't a usable TLD) you could have them monitor both IPs, and either load balance or assign primary and secondary. In this case you could just use the dns record as the base URL. So if one of your links goes down, your DNS service detects it and just "resolves" all new queries to the valid IP
Super video! Would this configuration clash with an existing SSLVPN configuration on the FGT (which does not use SAML, but traditional RADIUS auth)?
It might if you use the same authentication realm, if you want to use RADIUS along side SAML, I would advise you set up a new realm for SAML. www.ultraviolet.network/post/ssl-vpn-realms
@@mattsherif9141 Thank you. I just tested it and indeed the realm is needed for separating SAML from RADIUS authenticated clients.
@@flaviob829 When you used a separate realm for SAML clients, did you have to adjust your identifier/reply/sign-on URLs in Azure to include the new realm in the URL?
@@justatemp2000 No, nothing needed to be changed on the Azure side.
Awesome video! Thank you!
Does the FortiClient pass the "Azure AD Join" or "Azure AD Hybrid-Join" status through to Azure AD? If the machine is joined, you would be able to see this in the Azure AD Sign-in logs.
If it does, I'm curious if we can require only "Hybrid-join" instead of (or in addition to) MFA.
No idea at all.
Great video, thank you very much. Am running version 6.2 will this solution work for me?
for the doamin name sso.xxxxx, do you set any DNS record in advance?
Thanks for video, can we call azure user groups to fortigate, to create group based policy?
Thanks for the video. I had this working a few months ago using this doc docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial and then it stopped working. It was not in production so I left it aside till now. I saw that the idp-single-logout-url was changed on the Azure app. It used to be login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 and now it is the same as the idp-snigle-sign-on-url. One question. Is there a way to push the logon credentials to the SAML Sign On and require only the MFA to grant access?
thanks for the video, can this be used too send back different user-groups from Azure AD that can then be used in policies or to assign different vpn portals depending on ad group membership?
I suppose you could, not sure what overlapping access could look like though. As long as your SAML IdP can pass back the "group-name" field, you should be fine.
Incredible video mate! Hope your doing well. I was able to follow the guide without any big issues. Completed the tutorial and im able to get the fortinet login page but the authenticator doesnt prompt. Any advise would be super appreciated! Thanks again Matt
I'm kinda getting the same error.
@@abubruno I called Fortigate and they were able to fix me up. Turns out my reply url was incorrect.
how do I point to the sso address in dns and point to the ssl-vpn portal
Can you please clarify the question? I am not sure I follow.
Great work! I got an issue when I click SAML in the forticlient VPN, it redirects to http invalid request page, then go to fortigate username login page. Any idea why got this issue? Thanks in advance
did you fix this? i have the same problem
@@AnandNarine Same here...
Hey man i managed to configure until the point that it asks for the 365 account and connects straight to VPN, but it doesnt require the 2-FA. Could you please help woth some tips? i would really appreciate it, I have a Fortigate 100E.
The Azure configs were done by the HO Manager on other country, i asked if the 2FA was enabled on their side and they said yes, now i just have no clue of what could be missing.
Do you have conditional access rules requiring users to use 2 Factor?
Top!!
Este funcionou, descreveu oque faltava, configuração de Realm.
Thanks a lot, I got it working but I just have one issue. When the Microsoft login shows up, I only have 10 seconds to login and it would close off saying error timed out. However, if i'm fast enough, I'm able to login just fine.
Thanks for watching!
I thought I covered that in the video, my apologies!
if you go to:
config system global
set remoteauthtimeout 30 # or 60, whichever works for you
end
This should take care of it for you. Thing is, the default remoteauthtimeout is defaults to 5 seconds, which is why you have to be FAST!
Yo, great video. I'm running a 1800F cluster and am trying this for the first time. BUT im running FW 6.2.5, do you know if it is a requirement to run 6.4 and above? i cant find any information on it. My issue is that as soon as i login and get the authenticator message, it logs me out immediately
Yes. You need to be running 6.4.0 or above. Sorry I know it's not what you want. The tunnel WILL come up on 6.2 but it will not pass traffic, it's not really a supported use case on 6.2.
You can however use SAML/Azure AD for admin access. I might do a video on that.
@@mattsherif9141 Well well have i got news for you pal. I've made it work in 6.2.5 just fine, VPN tunnel works. I can connect to resources, even the bookmarks work on the Web Portal
@@E4gleDk I have come across it working on 6.2 as well, performance is not so great. Also, it’s still unsupported on 6.2, and performance is better on 6.4.
@Terje Drevvatne Hey, No i dont recall me changing anything regarding the config. i Didnt touch the realm parts of it though, no need for that if you're not going to use it. What issues are you facing?
could this also be used for authenticating WiFi users?
I don't really know. Might have to do some digging.