Azure Active Directory Users with WatchGuard Access Portal Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This document describes how to configure the WatchGuard Access Portal to integrate with Azure AD Users.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox M400 with Fireware OS v12.7.1
  • Microsoft Azure

Topology

This topology diagram shows the data flow for Active Directory authentication with a WatchGuard Firebox and Azure AD Domain Services.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • You have an Azure Active Directory global administrator account within the Azure Active Directory tenant
  • You have an active Azure subscription
  • You have created and configured Azure Active Directory Domain Services (Azure AD DS)
  • You have a Firebox feature key with an Access Portal license

Configure Azure

The steps in this section cover how to configure Azure AD.

Configure Secure LDAP

  1. Log in to the Azure portal with your Microsoft Azure account credentials.
  2. Click Resource groups.
  3. Select your Azure AD Domain Services resource group.
  4. Click the Azure AD Domain Services.

Screenshot of Azure, picture1

  1. Select Settings > Secure LDAP.
  2. Enable the Secure LDAP toggle.
  3. Enable the Allow secure LDAP access over the internet toggle.
  4. Next to the .PFX file with secure LDAP certificate text box, click the folder icon and upload your certificate. For information about how to create and export the certificate, see Configure Secure LDAP in the Microsoft documentation.
  5. In the Password to decrypt .PFX file text box, type the password.

Screenshot of Azure, picture2

  1. Click Save.

Screenshot of Azure, picture3

  1. Click Properties.
  2. Copy the Secure LDAP external IP addresses value. You need this information when you configure the Firebox.

Screenshot of Azure, picture4

Configure a Security Rule

  1. In the Azure portal, click Resource groups.
  2. Select your Azure AD Domain Services resource group.
  3. Select the network security group.
  4. Select Settings > Inbound security rules > Add.
  5. From the Source drop-down list, select IP Addresses.
  6. In the Source IP addresses/CIDR ranges text box, type the public IP address or range for your environment.
  7. From the Destination drop-down list, select Any.
  8. From the Service drop-down list, select Custom.
  9. In the Destination port ranges text box, type 636.
  10. For Protocol, select TCP.
  11. In the Priority text box, type a number between 100 and 4096. In our example, we type 311.
  12. In the Name text box, type a name.
  13. Leave the default value for all other settings.
  14. Click Add.

Screenshot of Azure, picture5

Add an Azure Group and User

  1. Go back to the Home page.
  2. Click Azure Active Directory.
  3. Select Manage > Groups.
  4. Click + New group.
  5. From the Group type drop-down list, select Security.
  6. In the Group name text box, type a group name.
  7. From the Membership type drop-down list, select Assigned.

Screenshot of Azure, picture6

  1. Click Create.
  2. To add a user in Azure, select Manage > Users.
  3. Click + New user and enter your user information.

Screenshot of Azure, picture7

  1. Click Create.

Users must change their passwords before they can use Azure AD DS. The password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The account is not synced from Azure AD to Azure AD DS until the password is changed. It might take a few minutes after the password change before the new password can be used in Azure AD DS.

Configure the Firebox

The WatchGuard Access Portal is a subscription service and needs an active license applied in your Firebox feature key before you can configure it on your Firebox.

You must configure the Active Directory authentication settings and enable Access Portal.

Configure Active Directory Authentication

  1. Log in to Fireware Web UI (https://<your Firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page opens.

Screenshot of Firebox, diagram1

  1. From the Authentication Servers list, click Active Directory.
    The Active Directory page opens.
  2. Click Add.
  3. Click Next.
  4. In the Domain Name text box, type the domain name. You cannot change the domain name after you save the settings.

Screenshot of Firebox, diagram2

  1. Click Next.
  2. In the Server Address text box, type or paste the secure LDAP external IP address you copied in the previous section.
  3. Select the Enable secure SSL connections to your Active Directory server (LDAPS) check box.

Screenshot of Firebox, picture3

  1. Click Next.
  2. Click Finish.

Configure the Access Portal

  1. Select Authentication > Users and Groups.
  2. Click Add.
    The Add User or Group page appears. You can add a user or a group. In our example, we add a group.
  3. For Type, select Group.
  4. In the Name text box, type a name for the group. The name of this group must match the name of the Azure AD group your users belong to.

    If you add a user, the name of the user must match the name of the Azure AD user.

  5. From the Authentication Server drop-down list, select the authentication server you created.
  6. Click OK.

Screenshot of Firebox, picture4

  1. Click Save.
  2. Select Subscription Services > Access Portal.
  3. Select the Enable Access Portal check box.
  4. To add an application, in the Applications section, click Add. In our example, add a Web Application.

Screenshot of Firebox, picture5

  1. In the Name text box, type a description name.
  2. In the URL text box, type the URL address.
  3. Click OK.
  4. Select the User Connection Settings tab.
  5. In the Authentication Servers section, from the Authentication Server drop-down list, select the authentication server you created.
  6. Click Add.
  7. In the Authentication Server list, select your authentication server.
  8. To make this authentication server the default server, click Move Up until the server appears at the top of the list.

Screenshot of Firebox, picture6

  1. (Optional) To give all users and groups permission to connect to all applications, in the User Access section, select All applications are available to all users and groups authenticated with the Access Portal. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
  2. Click Add.
  3. From the Authentication Server drop-down list, select the authentication server you created.
  4. From the Type drop-down list, select Group.
  5. In the Name text box, type the group name. The name of this group must match the name of the Azure AD group your users belong to.
  6. Select the applications that are available to this group.

Screenshot of Firebox, picture7

  1. Click OK.

Screenshot of Firebox, picture8

  1. Click Save.

Test the Integration

To test the integration of Azure AD Users and the WatchGuard Access Portal.

  1. In a browser, go to https://<Firebox external IP address or FQDN>.

Screenshot of Firebox, picture9

  1. Type your Azure AD user name and password.
  2. Click Log In.
    You are logged in successfully, the user can get access to the resource.