Jump to:navigation, search
Wiki

































De.png
En.png
Fr.png






Connection of a UTM to an AD/LDAP
Last adaptation to the version: 12.6.1
New:
Last updated: 
02.2024
notempty
This article refers to a Resellerpreview

12.5.4 12.4 11.8.10 11.8 11.7 11.5

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Authentication AD/LDAP Authentication


Introduction

AD/LDAP connectivity enables existing directory services such as Microsoft Active Directory® or other LDAProtocol-based systems to be used for authentication, group management, and attribute storage.

Centrally managed users from the directory can thus easily be used for authentication or use of services on the UTM.

This simplifies the administration of complex corporate networks and unifies user management.

Among other things, the Light Directory Access Protocol (LDAP) is used for the connection to the directory..
Using LDAP, information about users, groups and other objects can be read from the directory.

The standard protocol itself does not provide for encryption or authentication of the messages.

In ADV190023 (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing) it is pointed out and an adjustment of the security settings is given.

In the future, signing and encryption of LDAP traffic will be required (seal).

notempty

This change is made automatically by the UTM.

Alternatively, the entire connection can be secured with SSL.

Starting with version 11.8.10, not only the PDC, but all DCs are used for LDAP requests. Thus, authentication for users from the AD is available even if the PDC is not reachable.


Requirement

To use an AD / LDAP for authentication, users must be created there and organized in groups.

Create user groups in AD

Add a security group
Security group added

The authorizations for the services contained in the UTM can be managed in groups. The users to be assigned to these groups must first be assigned to corresponding user groups in AD.

In this example, the users for Clientless VPN are to be authenticated via the Active Directory Service.

So first of all a group of the type Security Group must be added on the AD, which is given the name ClientlessVPN here.


Add user in AD

Add user in AD
User is a member of the group

The users to be enabled for Clientless VPN are then added to this group.



DNS-Konfiguration

Damit der Authentifizierungsvorgang der AD/LDAP-Anbindung problemlos funktioniert, muss der Nameserver der UTM entsprechend eingerichtet werden.
Dafür müssen folgende Konfigurationen getätigt werden:

  • Bei Network Appliance Settings  Area DNS-Server muss bei Primärer Nameserver: 127.0.0.1 stehen
    • notempty
      Der Eintrag bei bei Sekundärer Nameserver: muss leer sein!
  • Bei Applications Nameserver  Area Zonen wird eine Forward Zone mit einem A und PTR Eintrag angelegt
  • Bei Applications Nameserver  Area DNS Forwarding wird ein DNS Forwarding angelegt mit einem externen DNS wie 8.8.8.8

Integrate UTM into the domain

It is important to make sure that the UTM Time is reasonably synchronized with the AD, since a Kerberos ticket has a limited validity period.

In the menu Authentication AD/LDAP Authentication the authentication is configured.


Establishing an AD connection

If there is no AD/LDAP authentication yet, the AD/LDAP authentication wizard opens automatically

Otherwise the wizard can be started with the button Wizard


Step 1: Directory type
Caption Value Description AD/LDAP Authentication Wizard UTMuser@firewall.name.fqdnAuthenticationAD/LDAP Authentication UTM 12.6 Authentifizierung AD-LDAP-Authentifizierung Assistent Schritt1-en.pngStep 1
Directory type: AD - Active Directory notempty
In any case, the directory type »AD« should be selected if it is an Active Directory environment.

Even there is also running an LDAP, the group membership is treated differently in the AD environment than in a pure LDAP server.
Next
Step 2: Options
IP Address or Hostname: »192.168.145.1 (Example address!) UTM 12.6 Authentifizierung AD-LDAP-Authentifizierung Assistent Schritt2-en.png
Step 2
Domain: ttt-point.local Domainname
Workgroup: ttt-point The NETBIOS name of the AD
If this should differ from the base domain, the correct NETBIOS name must be entered here.
Appliance Account: sp-utml The name by which the UTM is entered in the AD in the group Computers.
A unique name that must not be assigned twice!
When operating the UTM in a cluster, the name in the master and spare must be different. The name is not synchronized!
Next
Step 3: Nameserver
UTM 12.6 Authentifizierung AD-LDAP-Authentifizierung Assistent Schritt3-en.png
Step 3: Nameserver
If the AD server is not yet entered as the name server, this is done in this step:
Add Server
IP address:: 192.168.145.1 Sample address!
IP address of an AD server of the domain, if necessary additionally the port
Save

The AD server is thus added as a relay zone in the name server of the UTM.

The entry can be found in the menu Applications Nameserver in the tab Zones.

Next
Step 4: Join
Administratorname: Administrator To join the domain, a user account with domain administrator permissions is required. UTM 12.6 Authentifizierung AD-LDAP-Authentifizierung Assistent Schritt4-en.png
Password: ••••••••
When operating the UTM in a cluster, the password on the spare UTM must be entered separately under Authentication AD/LDAP Authentication  Area Join .

Except of the Appliance Account: (see step 2), all other information in the cluster will be synchronized.
Complete with Join
Finish

Result of AD connection

Result in section
Status
 :
Enabled:: On AD/LDAP authentication is enabled. AD/LDAP Authentication UTMuser@firewall.name.fqdnAuthentication Wizard UTM 12.6 Authentifizierung AD-LDAP-Authentifizierung-en.png
Connection Status: For confirmation the display changes from grey to green.
Update with

Extended settings

Extended
AD attributes can be given certain authorizations. This allows you to configure who can view them. For example, they cannot be read by an LDAP search. These AD attributes are marked with the "confidential'" flag.
To give an AD attribute these authorizations, the following steps are necessary:
  • Start the Active Directory Users and Computers program
    Start → Control Panel → Administrative Tools → Active Directory Users and Computers
      
  • Click on Advanced functions in the View menu
  • Right-click on the desired object and go to Properties
  • In the Security tab under Advanced, all available authorizations are displayed
  • Use the Add button to select the desired user or group account that should have access
  • In the Permission for object name dialog, select the desired properties and permissions under Properties and Save
notempty
As a result, the machine account of the UTM may no longer be able to read this attribute. The machine account then requires additional rights.
SSL: Off The connection to the Active Directory server can be established using SSL encryption. UTM v12.6 Authentifizierung AD-LDAP-Authentifizierung Erweitert-en.png
Extended settings
  • Note on LDAP Encryption:
  • existing and new connections are encrypted and signed separately
  • if SSL is activated, no additional encryption is applied
  • Root certificate: Certificate A root certificate can be deposited.
    LDAP-Filter: (|(sAMAccountType=268435456)(sAMAccountType=268435457)(sAMAccountType=805306368)) sAMAccountType=Restricts authentication to members of the following groups:
    Further filters are possible
      
    • 268435456 (→ Groups, SAM_ALIAS_OBJECT 0x20000000)
    • 268435457 (→ Non Security Groups, SAM_NON_SECURITY_ALIAS_OBJECT 0x20000001)
    • 805306368 (→ User Accounts, SAM_USER_OBJECT 0x30000000)
    User-Attribute:: sAMAccountName Attributes can be defined under which the AD administration stores the user information and which can then be queried by the UTM:
    Mail-Attribute: »proxyAddresses

    The attributes from OTP to Cert-Attribute, which are entered here, usually do not exist in the AD.
    For example, to store the OTP secret code on the AD, an unused attribute of the AD schema can be used, which contains this secret code of the user.
    A corresponding instruction can be found in the article Integrating the OTP function into the Active Directory.
    • Create a Wireguard peer on the UTM
    • Create a user group on the AD, which allows the users to use WireGuard
    • Enter the required Wireguard attributes into an AD attribute of the users (for example the extensionAttribute#)
    • Connect the UTM to the AD and configure the set AD attributes
    • Create a user group on the UTM which is connected to the AD user group and has the Wireguard permission
    • The corresponding connections will be added automatically during the next AD sync
    • If a new attribute is added to the users, these are also taken over at the next sync

    UTM v12.4 WG-Attribute im AD.png
    Attribute Editor tab of the user properties in AD
    with example values for WireGuard

    UTM v12.6 Authentifizierung AD-LDAP-Authentifizierung AD-Attribute-en.png
    Names of the attributes used from the AD

    OTP-Attribute: sPOTPSecret
    L2TP-Attribute: sPL2TPAddress
    WireGuard-Attribute (IPv4): sPWireguardIP4Address The AD attribute of the IPv4 address of the WireGuard connection.
    The IPv4 address can be stored in any AD attribute of the user. If the IPv4 address is stored in extensionAttribute1, extensionAttribute1 is entered here.
    WireGuard-Attribute (IPv6): sPWireguardIP6Address The AD attribute of the IPv6 address of the WireGuard connection
    The IPv6 address can be stored in any AD attribute of the user. If the IPv6 address is stored in extensionAttribute2, extensionAttribute2 is entered here.
    WireGuard-Public-Key-Attribute: sPWireguardPubkeyVal The AD attribute of the public key of the WireGuard connection.
    The public key can be stored in any AD attribute of the user. If the public key is stored in extensionAttribute3, extensionAttribute3 is entered here.
    SSL-VPN-Attribute (IPv4): sPOVPNAddress
    SSL-VPN-Attribute (IPv6): sPOVPNIP6Address
    SSL-Bump-Attribute: sPSSLBumpMode
    Cert-Attribute: sPCertificate
    Page Size: 500   Link= In larger environments, LDAP requests may exceed the maximum number of records defined on the server side (1000 in AD). With Page Size you can set that the LDAP query is executed piecewise. A page size of 500 means 500 data records per query. A page size of 0 deactivates a step-by-step LDAP query.

    Connect UTM with Azure AD

    In order to use Azure AD, configured Azure Apps are required.


































  • Note
    This article includes descriptions of third-party software and is based on the status at the time this page was created.
    Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
    All information without warranty.
  • To be able to use AD authentication with Azure AD, the following information is required:
    • Application ID
    • Client ID
    • Secret client key
    This guide shows an example of the preparations and setting required in Microsoft Azure
    • Launch Azure Active Directory admin center
    • Note down/Copy Tenant ID from the Azure Active Directory menu
    • Register new app under theApp registration menu under the New registration button
    • Assign a unique name and click the register button
    • Note Application ID, alternatively the Directory ID (Client ID) can be found here
    • In the API permissions menu, click the Add a permission button.
    • Berechtigung Group.Read.All im Reiter Anwendungsberechtigung wählen
    • Berechtigung User.Read.All im Reiter Anwendungsberechtigung wählen
    • In the menu API permissions activate the entry Grant admin consent for [...].
    • Create a Client secret in the Certificates & secrets menu
    • Note down Value, will be entered as Secret Value
    • This completes the configuration in Microsoft Azure.
    notempty
    The Microsoft servers may take up to 30 minutes before access works


    Establish Azure AD connection

    If there is no AD/LDAP authentication yet, the AD/LDAP Authentication Wizard opens automatically.
    Otherwise, the wizard can be started with the Wizard button.
    Step 1: Directory type
    Caption Value Description AD/LDAP Authentication Wizard UTMuser@firewall.name.fqdnAuthenticationAD/LDAP Authentication UTM v12.6 AD-LDAP-Authentifizierung Assistent Azure-AD Schritt1-en.png
    Directory type: Azure AD - Microsoft Azure Active Directory Select Azure AD as directory type
    Next
    Step 2: Options
    Directory-ID (Client-ID): •••••••••••••••••••• Directory-ID (Client-ID) from the app registration in Azure AD UTM v12.6 AD-LDAP-Authentifizierung Assistent Azure-AD Schritt2-en.png
    The entered value is displayed
    Application-ID (Client-ID): •••••••••••••••••••• Application-ID (Client-ID) from the app registry in Azure AD.
    The entered value is displayed
    Secret value: •••••••••••••••••••• Value of the secret client key from the Certificates & Secrets section of Azure AD.
    The entered value is displayed
    Finish

    Result Azure AD Connection

    Status
    Enabled:: Yes Azure AD authentication is enabled AD/LDAP Authentication UTMuser@firewall.name.fqdnAuthentication Wizard UTM v12.6 AD-LDAP-Authentifizierung Azure-AD-en.png
    Connection Status: To confirm, the display changes from gray to green.
    This button is used to update the connection status
    Directory type: Azure AD The set directory type
    Options
    Directory-ID (Client-ID): •••••••••••••••••••• Directory-ID (Client-ID) from the app registration in Azure AD
    The entered value is displayed
    Application-ID (Client-ID): •••••••••••••••••••• Application-ID (Client-ID) from the app registry in Azure AD.
    The entered value is displayed
    Secret value: •••••••••••••••••••• Value of the secret client key from the Certificates & Secrets section of Azure AD.
    The entered value is displayed

    AD Grant permissions to user groups

    Add Group UTMuser@firewall.name.fqdnAuthenticationUser UTM 12.6 Authentifizierung Benutzer Gruppe-CLientlessvpn-en.pngGroup permissions

    To grant users from the Active Directory the permissions for accessing the UTM user interface and using the Clientless VPN, a group with exactly these permissions is created in the Authentication User Area
    Groups
    Button Add Group menu.
    Active Permissions Note
    On Userinterface
    On Clientless VPN Gewünschte Berechtigung


    UTM 12.6 Authentifizierung Gruppe-hinzufügen Verzeichnisdienst-en.png
    Select user group from AD
    In the area
    Directory Service
    the corresponding group from the Active Directory can now be selected and assigned.

    Further information about Clientless VPN permissions can be found in the wiki for Clientless VPN.



    Result

    After saving, every user who is a member of the AD group ClientlessVPN can log on to the UTM with their Windows domains access data for using the Clientless VPN.



    Verifying the AD connection with CLI

    CLI (Command Line Interface) commands can be used to check various things about the Active Directory connection and users.notempty
    Note:
    If the input (screen and keyboard) is made directly at the UTM, the input prompt of the firewall is e. g.: firewall.foo.local> or according to the local configuration. When called from the user interface with the Extras CLI menu, the prompt is CLI>. This is followed by the CLI command.
    The lines below are the output of the UTM for this command.


    Joining and leaving the domain

    To validate whether the UTM has already joined the domain:

    cli> system activedirectory testjoin
    Join is OK
    cli>
    

    If this is not the case, the following output will take place

    cli> system activedirectory testjoin
    Not joined
    cli>
    

    In this case the domain can be joined with the following command

    cli> system activedirectory join password Beispiel-Admin-Passwort
    Password for Administrator@TTT-POINT.LOCAL: 
    Processing principals to add...
    Enter Administrator's password:
    Using short domain name -- TTT-POINT
    Joined 'SP-UTML' to dns domain 'ttt-point.local'
    cli>
    

    The command to leave the domain is

    cli> system activedirectory leave password Beispiel-Admin-Passwort
    Enter Administrator's password:
    Deleted account for 'SP-UTML' in realm 'TTT-POINT.LOCAL'
    cli>
    

    When entering or leaving the Active Directory, the administrator password must be entered. The password is not stored, but the AD membership is nevertheless rebootable.


    Display AD groups

    With the following command the groups can be listed in the Active Directory:

    cli> system activedirectory lsgroups
    member
    ------
    Abgelehnte RODC-Kennwortreplikationsgruppe
    Administratoren
    Benutzer
    Builtin
    ClientlessVPN
    Discovery Management
    Domänen-Admins
    Domänen-Benutzer
    Domänen-Gäste
    Exchange Servers
    ...
    Users 
    Windows-Autorisierungszugriffsgruppe
    cli>
    

    Verification of users and group membership

    The following command checks whether an AD user is assigned to an UTM group:

    cli> user check name "m.meier" groups grp_ClientlessVPN
    matched
    cli>
    

    If this is not the case, the output is

    not a member
    cli>
    

    Command to display the group membership and permissions for an AD user:

    cli> user get name m.meier
    name   |groups           |permission
    -------+-----------------+----------
    m.meier|grp_ClientlessVPN|WEB_USER,VPN_CLIENTLESS
    cli>
    


    Domain controller behind site-to-site VPN

    In some scenarios, the domain controller is located behind a site-to-site VPN tunnel.
    If this is the case, a corresponding zone and rule must be configured.
    See also DNS-Relay for IPSec-S2SDNS-Relay for SSL (OpenVPN) -S2SDNS-Relay for WireGuard-S2S

    notempty

    Attention: To join an active directory located behind a VPN tunnel, the LDAP ports are required in the NAT rule towards the domain controller in addition to the DNS ports.