Fortigate FSSO and LDAP source IP

I was presented with a scenario the other day where we had two sites connected with a Site-to-Site VPN. The VPN was up and working great, but FSSO and LDAP would not connect to servers on the other side of the VPN for lookups.

This made sense because I knew the fortigate was using its outside (Public) IP for lookups and obviously that was not in my Phase 2 subnets to encrypt. So how can I change this?

Note, these steps change the source IP that the FGT uses to query LDAP or FSSO.

There are options in both objects (FSSO, and LDAP) In CLI to change the source IP address. See below

LDAP Source IP change

First log in through CLI, and edit the object, Then set the source IP. Once you end the CLI session it should be changed.

show ldap

Now set the source IP address of the connection

Set Source IP

Once you enter this and then end the session via the key word ‘end’ you will set the command.

Before moving on to the FSSO settings, here is a list of options available:
options

 

FSSO Source IP change

In CLI edit the FSSO object with the below commands, modify the source IP as below, and end the console to set the commands.

FSSO-show

 

fsso-source-ip

Once you enter this and then end the session via the key word ‘end’ you will set the command

That should be it! You modified your source IP to something in the encryption domain and it should now talk to the remote side and be able to do lookups.

Just in case below are all the options available under the FSSO.

fsso-show-options

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: