Hot!Join AD with Fortigate 40-F, DNS Problems

Author
gpojer
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/01/21 12:21:15
  • Status: offline
2021/02/06 08:17:55 (permalink)
0

Join AD with Fortigate 40-F, DNS Problems

Hello Community,
 
i am absolute newbie to Fotigate. My network configuration is as follows:

 
The domain controller is located at the NAS1 192.168.17.201, the domain is local.XXXX.it.
 
My DNS settings are as follows: 




 
However, when I ping my domain controller with execute ping local.XXXX.it I get a response from the IP of the host of my website www.XXXX.it (courtesy page). What is wrong here?
 
In fact, I cannot register to the LDAP Server:

 
Anyone can help?
 
Thanks in advance.
 
 
 
 

Attached Image(s)

#1

9 Replies Related Threads

    gpojer
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/21 12:21:15
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/08 11:25:20 (permalink)
    0
    Can anyone help me?
    #2
    NeilG
    Silver Member
    • Total Posts : 94
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/03/04 11:00:39
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/08 12:16:09 (permalink)
    0
    I'm guessing you are following one of the SSO LDAP cookbooks?
     
    Cookbook | FortiGate / FortiOS 6.2.7 | Fortinet Documentation Library
     
    One thing I noticed - your user name for your LDAP authentication is in the NT/LANMan format of Domain\Username
     
    This (for LDAP auth) should be in a distinguished name format.
     
     
    This might help:
    Windows: How do I find an LDAP User and their Group Base DN for Microsoft Active Directory? – marktugbo.com
     
    #3
    gpojer
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/21 12:21:15
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/08 14:39:40 (permalink)
    0
    I have tried with cn=administrator, DC=local, DC=XXXX, DC=it and it still does not work.
    #4
    gpojer
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/21 12:21:15
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/11 07:28:02 (permalink)
    0
    Can anyone help?
    #5
    brycemd
    Gold Member
    • Total Posts : 124
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/11 09:39:14 (permalink)
    0
    You will need to setup source IPs for those functions so the fortigate knows what IP to send from.
     
     
    In the case of LDAP:
    config user ldap
    edit 'your ldap name'
    set source-ip 'your internal IP'
    end
     
    This is because the fortigate uses the interface it exits as it's source IP. The problem with this is IPSEC tunnels by default have a IP of 0.0.0.0/0.0.0.0 which means it is not returnable from the other side for fortigate generated traffic. So, you need to identify what IP the traffic should be generated with.
     
    For example, you likely cannot exec ping to the other side of the tunnel using even IP addresses let alone DNS. You would need to first 'exec ping-options source internalipoffortigate'.
     
    There are many places in fortigate config you need to do this, basically anything fortigate generated going over non routeable interfaces.
     
     
    Edit - I may have totally misread this scenario. I saw VPN in your drawing and assumed there were IPSEC tunnels in play. Are you saying it can't contact the LDAP server even on the same network? The easy fix is to change your FortiGates DNS servers to the internal DNS server instead of 1.1.1.1. You don't gain much benefit from split/recursive DNS when everything is at the same site. Also, theres not much point in using the DNS name for the LDAP server connection, just use the IP and it brings DNS out of the equation. 
    post edited by brycemd - 2021/02/11 10:13:47
    #6
    gpojer
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/21 12:21:15
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/11 12:33:30 (permalink)
    0
    Thanks a lot for the kind answer. However, I have to admit that I have understood only a small fraction of your explanation. As I said, I am a complete beginner with Fortigate.
    But let's clear your PS.
     
    brycemd
     
    Edit - I may have totally misread this scenario. I saw VPN in your drawing and assumed there were IPSEC tunnels in play. Are you saying it can't contact the LDAP server even on the same network? The easy fix is to change your FortiGates DNS servers to the internal DNS server instead of 1.1.1.1. You don't gain much benefit from split/recursive DNS when everything is at the same site. Also, theres not much point in using the DNS name for the LDAP server connection, just use the IP and it brings DNS out of the equation. 




    I am connected to the Firwall through a IPSec Tunnel. I set up the firewall via VPN. My first goal is to make the firewall join the AD. The domain controller local.XXXX.it is set up on my QNAP NAS, 192.168.17.201. The next step is to join the domain via vpn tunnel.
     
    Thanks in advance for your clarifications and possible solutions to my problem.
    #7
    brycemd
    Gold Member
    • Total Posts : 124
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/11 12:45:06 (permalink)
    0
    I think a lot of what I said doesn't even apply to your scenario, apologies for that.
     
    The scenario is a fortigate on the same subnet as a NAS acting as AD. I hope I am correct this time.
     
    I would simply change the DHCP scope to give out the NAS IP as DNS instead of using the fortigate as DNS unless theres a reason the NAS can't act as your full DNS server? And, change the LDAP server to use IP, 192.168.17.201, rather than the local.xxx.it DNS name.
     
    As far as I can tell, doing those two things and getting rid of the recursive DNS setup will solve your issue.
     
    That being said... The LDAP setting does not 'join the fortigate' to the domain. It allows, for example, you to use domain accounts to connect to a VPN.
     
     
    post edited by brycemd - 2021/02/11 12:48:30
    #8
    gpojer
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/21 12:21:15
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/22 14:22:23 (permalink)
    0
    SO here I am again. Vpn is working. DNS are ok. I have also set up the LDAP server on the Fortigate and imported a domain user into the vpnusers group on the fortigate. So the vpnusers group has now a local user and a domain user.
     
    The problem is that I can set up a vpn connection (with forticlient) with the local user credentials but nut with the domain user credentials.
     
    Can you help me with troubleshooting?
    #9
    gpojer
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/21 12:21:15
    • Status: offline
    Re: Join AD with Fortigate 40-F, DNS Problems 2021/02/27 11:43:35 (permalink)
    0
    Anyone can help?
     
    #10
    Jump to:
    © 2021 APG vNext Commercial Version 5.5