Wednesday 25 June 2014

How-to: Configure User Alias Options on a FortiMail

If your organisation is using aliases, it's generally a good idea to configure the 'User Alias Options' within the LDAP settings to ensure users only get one quarantine email for all their addresses, instead of one for each alias address.

To configure this, first edit the LDAP profile you've configured for your domain (found under Profile > LDAP) and expand the 'User Alias Options' section.

Ensure the tickbox has been enabled next-to 'User Alias Options', then configure your base DN, Bind DN and Bind password as normal. For the 'Alias member query' option use proxyAddresses=smtp:$m. Lastly untick the 'User group expansion in advance' box.

Your final configuration should look something like this:


To test this out click on the 'Test LDAP Query...' link near the top of the LDAP profile page. From here choose 'Alias' from the dropdown menu and type in your email address at the bottom. For the below example my normal email address is amouawad@wglab.com.au and my alias is allan@wglab.com.au.

Click on 'Test' and you should see the alias match!


Posted by at 4 comments:
Labels: , , , , , , , ,

Wednesday 11 June 2014

FortiGate Web SSL VPN gives "Connection Exception" error when trying to RDP to a Windows PC

I've finished configuring a Web SSLVPN on my FortiGate and created a few RDP bookmarks to my internal PCs. As per below, the bookmarks were nothing special and just using the Java based RDP (not native).


When it came time to test this out however, I keep getting the following error:

Connection Exception: Connection to remote desktop failed, please check network connection or remote computer configuration

Luckily the fix is simple.
Read more »
Posted by at 6 comments:
Labels: , , , , , , ,

Tuesday 10 June 2014

FortiWeb RADIUS authentication login failing

I'm currently rebuilding my FortiWeb VM in the lab and started the configuration from scratch.

One of the config steps I have for all my devices is to use RADIUS for the user authentication. For some reason though when I test the RADIUS server it keeps on giving me a timeout error.


Looking at my FortiAuthenticator I can see the request has come through and been authenticated correctly.


So what's going on here?
Read more »
Posted by at 1 comment:
Labels: , , , , , ,

Uploaded license for Fortinet VM appliance but get stuck on 'please wait for authentication with registration servers'

Fortinet VM appliances require the installation of a license file to get the full functionality and support. Once you've uploaded the file the device will reboot and try to connect to the Fortinet authentication servers to confirm it's valid.

When you try to log back into the device after the reboot you may get the following screen:


Obviously you'll need an internet connection for it to contact the registration servers, but sometimes it will get stuck on this screen regardless of your internet connection or how many times you reboot the device.

Luckily you can force this update which will take a matter of seconds. Login to the CLI and issue the execute update-now command. The device will log you out, and the license registration status will change to VALID. Once this is done log back in to the GUI and you should see the normal configuration page.



Posted by at 4 comments:
Labels: , , , ,

Getting iprope_in_check() errors when routing is configured correctly

I was working on a FG90D for a customer a while back and had just finished configuring some extra routes, but no traffic was passing through the device.

Using the 'diag debug flow' command I was seeing the below message:

id=36870 pri=emergency trace_id=8 msg="iprope_in_check() check failed, drop"

This usually means a packets arrived where no forwarding or return routes exist, so the firewall drops it.

Knowing this I double (and triple!) checked the routes and routing table, and confirmed that everything was correct.

So having confirmed it's configured correctly, the could only assume that the routing table hasn't been refreshed when I added the new routes. This is something that's done automatically on the firewall when a change is made to the routing table (ex: a route has been added/deleted, interface up/down etc) but for some reason wasn't happening.

Using the below command I flushed the routing table and forced it to refresh:

diagnose firewall iprope flush

After that, the traffic is now routing correctly! :)
Posted by at 11 comments:
Labels: , , , , ,

How-to: Configure a User Group using LDAP filters on a FortiAuthenticator

Recently I've been playing around with a FortiAuthenticator which turns out to have some very cool features. One thing I noticed while configuring my user groups, is that it relies on 'LDAP filters' to define your groups. What I couldn't find was an explanation regarding the format on which to configure these groups.


The administration guide has no information except that you need to use an 'LDAP filter' here... being an LDAP noob I tried to put the CN of my group as per below, but it didn't like it...

CN=fulladmin,OU=Groups,OU=Lab,DC=wglab,DC=com,DC=au


After searching for a while I've found some on-line articles on LDAP search queries and have found the below query to work. This will match all users in the 'Fulladmin' group.

(&(objectCategory=user)(memberOf=CN=fulladmin,OU=Groups,OU=lab,DC=wglab,DC=com,DC=au))


Posted by at 1 comment:
Labels: , , , ,
Subscribe to: Posts (Atom)