( upbeat music) -[ Matt] Hi, I’m Matt from Duo Security. In this video, I’m going to show you how to integrate Duo withyour Fortinet FortiGate SSL VPN to add two-factor authentication to the FortiClient for VPN access. Before watching this video, delight is secure to read the documentation for this application locatedat duo.com/ docs/ fortinet. Note that we likewise give aconfiguration for protecting Fortinet’s SSL VPN browser-based access. Documentation for that configuration is located at duo.com/ docs/ fortinet-alt.To integrate Duo with your FortiGate VPN, you will need to installa regional agent assistance on a machine within your network. Before proceeding, you shouldlocate or set up a organization on which you are able to installthe Duo Authentication Proxy. The proxy supportsWindows and Linux organizations. In this video, we willuse a Windows system. Note that this Duo proxy server also acts as a RADIUS server.There is no need to deploya separate RADIUS server to use Duo. Log in to the Duo Admin Panelon the system you are going to install the DuoAuthentication Proxy on. In the left sidebar, navigate to Works. Click Protect an Application. In the search bar, form FortiGate. Under the entry for FortiGate SSL VPN click Protect this application. You will be given to your brand-new application’s belongings page. Note your integrating key, secret key, and API hostname. You will need these later during setup. Near the top of the page, sound the link to open the Duodocumentation for FortiGate. Next, install the DuoAuthentication Proxy. In this video, we will use a 64 -bit Windows system. We recommend a systemwith at least one CPU, 200 megabytes of saucer space, and 4 gigabytes of RAM. On the documentation page, navigate to the Install the DupAuthentication Proxy section. Click the link to downloadthe most recent version of the proxy for Windows. Launch the installer on the server as a used with executive rights and follow the on-screen promptsto complete installation.After the installing ends, configure and start the proxy. For the purposes of this video, we assume you have some friendship with the elements that make upthe proxy configuration file and how to format them. Comprehensive descriptionsof each of these elements are available in the documentation. The Duo Authentication Proxyconfiguration file is identified authproxy.cfg and is locatedin the conf subdirectory of the agent installation. Run a text editor like WordPad as an administrator andopen the configuration file. By default this is locatedin C :\ Program Files( x86 )\ Duo Security Authentication Proxy \ conf. When abusing a completely newinstallation of the agent, there may be example contentin the configuration file.Delete this content. First, configure the agent foryour primary authenticator. For this illustration, we willuse Active Directory. Add an[ ad_client] slouse at the top of the configuration file. Add the multitude parameterand enroll the hostname or IP address of your domain controller. Then included the service_account_username parameter and enter the user nameof a domain member account that has permission to bind toyour ad and accomplish research. Next, add the service_account_passwordparameter and register the password that corresponds to the username penetrated above.Finally, add the search_dn parameter, and enter the LDAP distinguished appoint of an AD container or administrative gang containing all of the usersyou wish to permit to log in. These four parts are theminimum constants required to configure Active Directoryas your primary authenticator. Additional optional variables are described in the documentation. Next, configure the proxyfor your FortiGate VPN. Create a[ radius_server_auto] segment below the[ ad_client] region. Add the desegregation key, mystery key, and API hostname from your FortiGateapplications properties page in the Duo Admin Panel.Add the radius_ip_1 parameterand enter the IP address of your FortiGate VPN. Below that, supplement theradius_secret_1 parameter and register a secret to be shared between the agent and your VPN. Finally, contributed the clientparameter and open ad_client. These six components are theminimum constants required to configure the proxy towork with your FortiGate VPN. Additional optional variables are described in the documentation. Save your configuration file. Open an administrator command prompt and run net start DuoAuthProxyto start the proxy work. Next, configure your FortiGate VPN. Log in to the FortiGateadministrative interface. In the left panel click User& Device and steer to RADIUS servers. Click the Create New button. On the new RADIUS serverpage, in the Name field, enter a name like Duo RADIUS. In the Primary Server IP/ Name field register the IP address, or FQDN, of your Duo RADIUS proxy. In the Primary Server Secretfield enter the RADIUS secret configured on your Duo RADIUS agent. Next to AuthenticationMethod, hand-picked Specify. In the dropdown, hand-picked PAP. Click OK.Then configure a customer group. In the left panel click User& Device and steer to User Groups. If you have an existing user group, click on it to revise its defines. If you do not yet have a user group, clink Create New to make one. In this speciman we willedit currently available user radical. On the user group page nextto Type select Firewall. In the remote group part, click Create New and selectthe Duo RADIUS remote server. You do not need to specify a group. Click OK to save the user group fixes. Ultimately, configure the timeout. The timeout can be increased from the Fortinet command line interface. We recommend increasing thetimeout to at least 60 seconds. Connect to the appliance CLI. Enter config system world-wide. Then enter set remoteauthtimeout 60. Finally, enter extremity. After installing and configuringDuo for your FortiGate VPN, evaluation your setup. Launching your FortiClientapplication with a username that has been enrolled in Duo. When you enter your username and password, you will receive an automaticpush or phone callback. This user have now been enrolled in Duo and activated the Duo Mobileapplication on their phone, so they receive a Duo Pushnotification on their smartphone.Open the notification, check the contextual information to confirm the login is legitimate, endorse it, and you are logged in. Note that you can alsoappend a kind ingredient to the end of yourpassword when logging in to use a passcode ormanually select a two-factor authentication method. Reference the documentationfor more information. You have successfully set upDuo for your FortiGate SSL VPN ..