How to Install Duo for Fortinet FortiGate SSL VPN

(upbeat music) – [Matt] Hi, I'm Matt from Duo Security. In this video, I'm going to show you how to integrate Duo with
your Fortinet FortiGate SSL VPN to add two-factor authentication to the FortiClient for VPN access. Before watching this video, please be sure to read the documentation for this application located
at duo.com/docs/fortinet.

Note that we also offer a
configuration for protecting Fortinet's SSL VPN browser-based access. Documentation for that configuration is located at duo.com/docs/fortinet-alt. To integrate Duo with your FortiGate VPN, you will need to install
a local proxy service on a machine within your network. Before proceeding, you should
locate or set up a system on which you will install
the Duo Authentication Proxy. The proxy supports
Windows and Linux systems. In this video, we will
use a Windows system. Note that this Duo proxy server also acts as a RADIUS server. There is no need to deploy
a separate RADIUS server to use Duo. Log in to the Duo Admin Panel
on the system you are going to install the Duo
Authentication Proxy on. In the left sidebar,
navigate to Applications. Click Protect an Application. In the search bar, type FortiGate. Under the entry for FortiGate SSL VPN click Protect this application.

You will be brought to your new application's properties page. Note your integration key,
secret key, and API hostname. You will need these later during setup. Near the top of the page, click the link to open the Duo
documentation for FortiGate. Next, install the Duo
Authentication Proxy. In this video, we will use
a 64-bit Windows system. We recommend a system
with at least one CPU, 200 megabytes of disk space,
and 4 gigabytes of RAM. On the documentation page, navigate to the Install the Dup
Authentication Proxy section. Click the link to download
the most recent version of the proxy for Windows. Launch the installer on the server as a user with administrator rights and follow the on-screen prompts
to complete installation. After the installation completes, configure and start the proxy. For the purposes of this video, we assume you have some familiarity with the elements that make up
the proxy configuration file and how to format them.

Comprehensive descriptions
of each of these elements are available in the documentation. The Duo Authentication Proxy
configuration file is named authproxy.cfg and is located
in the conf subdirectory of the proxy installation. Run a text editor like WordPad as an administrator and
open the configuration file. By default this is located
in C:\Program Files(x86)\ Duo Security Authentication Proxy\conf. When using a completely new
installation of the proxy, there may be example content
in the configuration file. Delete this content. First, configure the proxy for
your primary authenticator. For this example, we will
use Active Directory. Add an [ad_client] section at the top of the configuration file. Add the host parameter
and enter the hostname or IP address of your domain controller. Then add the service_account_username
parameter and enter the user name
of a domain member account that has permission to bind to
your ad and perform searches.

Next, add the service_account_password
parameter and enter the password that corresponds to the username entered above. Finally, add the search_dn parameter, and enter the LDAP distinguished name of an AD container or organizational unit containing all of the users
you wish to permit to log in. These four items are the
minimum parameters required to configure Active Directory
as your primary authenticator. Additional optional variables are described in the documentation. Next, configure the proxy
for your FortiGate VPN. Create a [radius_server_auto] section below the [ad_client] section. Add the integration key,
secret key, and API hostname from your FortiGate
applications properties page in the Duo Admin Panel. Add the radius_ip_1 parameter
and enter the IP address of your FortiGate VPN. Below that, add the
radius_secret_1 parameter and enter a secret to be shared between the proxy and your VPN.

Finally, add the client
parameter and enter ad_client. These six items are the
minimum parameters required to configure the proxy to
work with your FortiGate VPN. Additional optional variables are described in the documentation. Save your configuration file. Open an administrator command prompt and run net start DuoAuthProxy
to start the proxy service. Next, configure your FortiGate VPN. Log in to the FortiGate
administrative interface. In the left panel click User & Device and navigate to RADIUS servers. Click the Create New button. On the new RADIUS server
page, in the Name field, enter a name like Duo RADIUS. In the Primary Server IP/Name field enter the IP address, or FQDN,
of your Duo RADIUS proxy. In the Primary Server Secret
field enter the RADIUS secret configured on your Duo RADIUS proxy. Next to Authentication
Method, select Specify.

In the dropdown, select PAP. Click OK. Then configure a user group. In the left panel click User & Device and navigate to User Groups. If you have an existing user group, click on it to edit its settings. If you do not yet have a user group, click Create New to make one. In this example we will
edit an existing user group. On the user group page next
to Type select Firewall. In the remote group section, click Create New and select
the Duo RADIUS remote server. You do not need to specify a group. Click OK to save the user group settings. Finally, configure the timeout. The timeout can be increased from the Fortinet command line interface. We recommend increasing the
timeout to at least 60 seconds.

Connect to the appliance CLI. Enter config system global. Then enter set remoteauthtimeout 60. Finally, enter end. After installing and configuring
Duo for your FortiGate VPN, test your setup. Launch your FortiClient
application with a username that has been enrolled in Duo. When you enter your username and password, you will receive an automatic
push or phone callback. This user has already enrolled in Duo and activated the Duo Mobile
application on their phone, so they receive a Duo Push
notification on their smartphone. Open the notification, check the contextual information to confirm the login is legitimate, approve it, and you are logged in. Note that you can also
append a form factor to the end of your
password when logging in to use a passcode or
manually select a two-factor authentication method. Reference the documentation
for more information. You have successfully set up
Duo for your FortiGate SSL VPN.

You May Also Like