FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahernandez_FTNT
Article Id 190913
Description
When a network one or multiple branch offices with one centralized LDAP server that is reachable through the VPN established between the branch office's FortiGate and the headquarters' FortiGate, the remote server can be used to authenticate local users on the branch office. However, if the VPN has phase-2 quick selectors (as usual), the communication between the branch office's FortiGate and the remote server might failed due to the source IP used (usually the WAN interface IP address) does not matches with the quick selectors defined on the phase 2.

Escenario-KB-May-Alan.jpg




Solution
To solve this issue, the source IP address from the packets generated from the FortiGate toward the LDAP server must be the IP address assigned to the local LAN interface (subnet allowed by quick selectors). In the example shown above, the source IP address must be 192.168.2.1.

Depending on what type of service is tying to be reached on the remote server (LDAP or FSSO), the source IP must be define on one profile or the other:

1) To reach LDAP server:

config user ldap
edit <Server_Name>
set source-ip 192.168.2.1 
next
end

2) To use FSSO profile (Agent-mode):

config user fsso
edit <Profile_Name>
set source-ip 192.168.2.1
next
end


Contributors