Configure FortiGate SSL VPN Authentication with AD

Steps to configure FortiGate SSL VPN Authentication with AD (Active Directory)

  1. Create a LDAP Server in FortiGate
  • AD Server =
  • cnid = sAMAccountName”
config user ldap
    edit "UAT-AD01"
        set server ""
        set cnid "sAMAccountName""
        set dn "dc=uat,dc=aventislab,dc=com"
        set type regular
        set username "uat\\administrator"
        set password P@ssw0rd 
  1. Verify the LDAP connection is established successfully with “diagnose test authserver ldap UAT-AD01 uat1 P@ssw0rd
FG60E #  diagnose test authserver ldap UAT-AD01 administrator P@ssw0rd!@#$

authenticate 'uat1' against 'UAT-AD01' succeeded!
Group membership(s) - CN=MyO365,OU=O365,DC=uat,DC=aventislab,DC=com
                      CN=Domain Users,CN=Users,DC=uat,DC=aventislab,DC=com

  1. Create a local Fortigate Single Sign On (SSO)
config user fsso
    edit "Local FSSO Agent"
        set server ""
  1. Configure FSSO Polling from AD Server
config user fsso-polling
    edit 1
        set server ""
        set user "uat\\administrator"
        set password P@ssw0rd
        set ldap-server "UAT-AD01"
  1. Create a new Group in FortiGate for MyO365 AD Group
config user group
    edit "LDAP-Users"
        set member "UAT-AD01"
        config match
            edit 1
                set server-name "UAT-AD01"
                set group-name "CN=MyO365,OU=O365,DC=uat,DC=aventislab,DC=com"
  1. Update the Firewall Policy for SSL VPN to include “set groups “LDAP-Users” to allow only members of MyO365 to login
config firewall policy 
    edit 20
        set name "SSLVPN_Internal"
        set uuid cd9e6c5c-de7a-51e8-9c01-08e536f6d644
        set srcintf "ssl.root"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "PROD_LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "LDAP-Users"
  1. Users who are members of MyO365 AD Group are allow to login to SSL VPN now.

  2. Other users will get the pop up message below if they try to login


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top