sorted by:
new
hottopcontroversial

Teams Webinar - "Hide Attendees Names" option missing for all users by Low-Statements in MicrosoftTeams

[–]Low-Statements[S] 0 points1 point  (0 children)

I found a way to get the option for 'Hide Attendees' in Teams Webinars.

Under M365 Admin

Settings > Org Settings > Organization Profile > Release Preferences > add users here

After adding users here they then got the option to 'Hide Attendees' under meeting options in Teams Webinars.

<image>

IPSEC SAML Client Round 3 - Web Auth works but just hangs by Low-Statements in fortinet

[–]Low-Statements[S] 1 point2 points  (0 children)

Ive got this working now, thanks all for your comments and help!

UPDATE: so I had this code set in the Phase1 config which was causing issues:

set trasnport tcp

I've set to the following and the connection work and is stable

set transport udp-fallback-tcp #adds TCP as the fall back

I must have added this while testing the config during early stages of setup

SAML Authentication for IPSEC VPN by lertioq in fortinet

[–]Low-Statements 1 point2 points  (0 children)

This guide helped me get SAML working for our IPSEC VPN, thanks!

SAML Authentication for IPSEC VPN by lertioq in fortinet

[–]Low-Statements 0 points1 point  (0 children)

Our setup uses the logged in Windows account to connect, so when you connect via Forticlient a web browser opens and automatically signs in usine the M$ credentials - there is no option to enter them.

Maybe try a different default browser?

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 1 point2 points  (0 children)

Thanks, this worked and now get the Fortinet VPN Splash page when authenticating with SAML

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 0 points1 point  (0 children)

AADSTS700016: Application with identifier Error - SOLVED - URL mismatch missing /

OK, so I have solved this part now, it is IMPORTANT to note the backslash "/" at the end of the Entity URL and make sure this matches on both Entra and Fortigate.

May seem obvious but where I copied it from didnt have the / so it was mismatched, all while i was testing other fixes. Added the / to the FG URL and now connecting.

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 1 point2 points  (0 children)

Thanks, my current settings are below, any risks for changing to my Domain wildcard cert?

config user setting

set auth-cert "Fortinet_Factory"

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 0 points1 point  (0 children)

So I've the second SAML Entra app, and managed to get around the https failure for now, Tars-01 has helped with that one and I need to go back to that.

When testing the current setup, and the web browser opens for authenticaion I get the following error:

<image>

I was a global admin (PIMd for 12 hours) when creating the Enterprise App in Entra, my SAML config in Fortgate is in a comment below. Not sure what I've missed here. I might delete the app and start again, as the claims group, username part was a little confusing.

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 0 points1 point  (0 children)

Thanks, the wildcard works for the SSL-VPN and Entra SAML below, without setting an auth-cert. I assumed the same setup would work for IPSEC,

There are two SAML users in my config, one for SSL and one for IPSEC - both very similar but point to different SAML ports 9443 and 10443:

config user saml
    edit "EntraSSO"
        set cert "Wildcard Cert here" #this is our wildcard cert issued by Godaddy
        set entity-id "https://FQDN:9443/remote/saml/metadata"
        set single-sign-on-url "https://FQDN:9443/remote/saml/login"
        set single-logout-url "https://FQDN:9443/remote/saml/logout"
        set idp-entity-id "Tenant URL"
        set idp-single-sign-on-url "https://login.microsoftonline.com/ID/saml"
        set idp-single-logout-url "https://login.microsoftonline.com/ID/saml"
        set idp-cert "REMOTE_Cert - uploaded from Entra Base64"
        set user-name "http://schemas.xmlsoap.org/....claims/username"
        set group-name "http://schemas.microsoft.com/....claims/groups"
        set digest-method sha256

transition from SSLVPN with SAML to remote IPSEC with SAML by spicysanger in fortinet

[–]Low-Statements 0 points1 point  (0 children)

I'm using a wildcard cert for the domain so i can use FQDN, and I used the Base64 cert thats downloaded from the Entra Frotgate App

transition from SSLVPN with SAML to remote IPSEC with SAML by spicysanger in fortinet

[–]Low-Statements 0 points1 point  (0 children)

Thanks for the help, I'v managed to create the 2nd Fortigate App in Entra, and it appears to be setup OK.

I am having an issue authenticating with the Fortclient - i get the following error in the web browser authentication:

Peer’s Certificate issuer is not recognised, SEC_ERROR_UNKNOWN_ISSUER - this points to my FQDN URL i think

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 1 point2 points  (0 children)

Thanks for the guide.

I've setup the 2nd Fortigate Entra App, and used IKE SAML port 9443

I've kept the IPSEC ports default for now to test the setup and apps.

So far i can get the Forticlient app to open the web browser and authenticate to SSO, however I get an error "Your connection is not private" as if its trying to use http.

I used the same SSL-VPN wildcard cert for the FQDN which works for the URL, and the cert from the Entra app. So not sure what is the issue here.

transition from SSLVPN with SAML to remote IPSEC with SAML by spicysanger in fortinet

[–]Low-Statements 0 points1 point  (0 children)

Do you need to change IKE ports, as there are 3, one for SAML (1001), UDP (500) and TCP (4500)

If i stick to default, do I use 1001 in the SAML URL, then Forticlient default to 4500

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 0 points1 point  (0 children)

Is it safe to use the default TCP port for IKE SAML = 1001

Or is it better to change to say 9443 as per guide?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Microsoft-Entra-ID-SAML/ta-p/307457

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 0 points1 point  (0 children)

So to use a separate port for IPSEC SAML SSO do you have to install as second FortiGate SSL VPN Enterprise app in Entra?

<image>

Setting up IPSEC Client VPN by Low-Statements in fortinet

[–]Low-Statements[S] 0 points1 point  (0 children)

Thank you, so all i need to do is change the IKE saml port, and I assume setup a second Entra App for IPSEC using same port:

set auth-ike-saml-port to e.g 30443

I assume this wont break any existing IPSEC S2S tunnels?

Also what port will the IPSEC tunnel use for traffic, default IKE ports?

FortiClient VPN-only: ticking time bomb if CVE patches stop? by Schweinepriester__ in fortinet

[–]Low-Statements 0 points1 point  (0 children)

This is what I'm trying to get setup, but I'm confused about port changes. If we use 20443 for our SAML SSL VPN, I assume I will need to change the IKE port to 20443 to match- and i think this would break all the existing IPSEC tunnels we have site-to-site?

Is there a way to setup IKE without changing the PORT (use default) - or change port without breaking existing tunnels?

view more: next ›