When trying to setup a FSSO fabric connector for Active Directory polling or when using LDAP for authentication with Forticlient or firewall administration, and when the AD controller is across a site to site VPN, the fabric connector and LDAP profile will attempt to use the public IP of the firewall for the source IP.
If you only need to send LDAP authentication requests across a VPN, you can simple set the source-IP option when configuring the LDAP profile in the CLI.
In this case, the source IP of 10.255.255.1 resides on the internal interface of the firewall itself and will source all requests to the DC at 10.10.10.100 using 10.255.255.1. You must ensure that 10.255.255.1 is allowed across the VPN and permitted by policy on the other side.
Here is the snippet of the config to use for the LDAP Profile:
config user ldap
edit "AD Profile"
set server "10.10.10.100"
set source-ip 10.255.255.1
set cnid "sAMAccountName"
set dn "dc=test,dc=com"
set type regular
set username "cn=Administrator,cn=Users,dc=test,dc=com"
next
end
If you are using FSSO across a VPN, there is an addition consideration that is explained well in the below document. Using the source-IP in the LDAP profile isn’t sufficient and isn’t taken into consideration.
Basically, when using a FSSO Fabric Connector, you must configure an IP address on the tunnel interfaces themselves which forces the Fabric Connector to use that IP address to source the Fabric Connector requests. There isn’t an option to source the Fabric Connector traffic from a specific IP address in the GUI or CLI like you can with the LDAP profile.
Link to Fortinet reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41468