Firebox Authentication Portal Integration with Microsoft Entra ID Users

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This document describes how to set up Microsoft Entra ID authentication for the Firebox Authentication Portal so that users must authenticate when they connect to the Firebox over port 4100.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.10
  • Microsoft Azure

Topology

This topology diagram shows the data flow for Microsoft Entra ID authentication with a WatchGuard Firebox and Microsoft Entra Domain Services.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Microsoft Azure global administrator account within the Microsoft Entra ID tenant.
  • You have an active Microsoft Azure subscription.
  • You have created and configured Microsoft Entra Domain Services.

Additional charges might apply for the use of Microsoft Azure. To learn more about Microsoft Azure, go to What is Microsoft Entra Domain Services.

Configure Microsoft Entra Domain Services

To configure Microsoft Entra Domain Services:

  1. Configure Secure LDAP
  2. Configure a Security Rule in Microsoft Azure
  3. Add a Microsoft Entra ID Group and User

Configure Secure LDAP

To configure Secure LDAP:

  1. Log in to the Microsoft Azure portal.
  2. In the Search Resources text box, type Domain Services, then select Microsoft Entra Domain Services.
    The Microsoft Entra Domain Services page opens. 

Screenshot of Azure, picture1

  1. Select your Microsoft Entra managed domain.
  2. Select Settings > Secure LDAP.

Screenshot of Azure, picture2

  1. Enable the Secure LDAP toggle.
  2. Enable the Allow Secure LDAP Access Over the Internet toggle.
  3. Next to the .PFX File with Secure LDAP Certificate text box, click the folder icon and upload your certificate. For information about how to create and export the certificate, go to Configure Secure LDAP in the Microsoft documentation.
  4. In the Password to Decrypt .PFX File text box, type the password.
  5. Click Save.

Screenshot of Azure, picture3

  1. Select Settings > Properties.
  2. Copy the Secure LDAP External IP Addresses value. You need this information later to configure the Firebox.

Screenshot of Azure, picture4

Configure a Security Rule in Microsoft Azure

To configure a security rule in Microsoft Azure:

  1. Log in to the Microsoft Azure portal.
  2. From the Search Resources search box, search for and select Resource Groups.
    The Resource Groups page opens.

Screenshot of Azure, picture5

  1. Select your Microsoft Entra Domain Services resource group.
  2. On the Overview page, select the Network Security Group type item.
  3. Select Settings > Inbound Security Rules > Add.
    The Add Inbound Security Rule dialog box opens.

Screenshot of Azure, picture5

  1. From the Source drop-down list, select IP Addresses.
  2. In the Source IP Addresses/CIDR Ranges text box, type the public IP address or range for your environment.
  3. In the Source Port Ranges text box, keep the default * text.
  4. From the Destination drop-down list, select Any.
  5. From the Service drop-down list, select Custom.
  6. In the Destination Port Ranges text box, type 636.
  7. For Protocol, select TCP.
  8. For Action, select Allow.
  9. In the Priority text box, type a number between 100 and 4096. In our example, we type 311.
  10. In the Name text box, type a name.
  11. Click Add.

Add a Microsoft Entra ID Group and User

To add a Microsoft Entra ID group:

  1. Log in to the Microsoft Azure portal.
  2. From the Search Resources search box, search for and select Microsoft Entra ID.
  3. Select Manage > Groups.
  4. Click New Group.
    The New Group page opens.

Screenshot of Azure, picture6

  1. From the Group Type drop-down list, select Security.
  2. In the Group Name text box, type a group name.
  3. From the Membership Type drop-down list, select Assigned.
  4. Click Create.

To add a Microsoft Entra ID user:

  1. Select Manage > Users.
  2. Select + New User > Create New User.
    The Create New User page opens.

Screenshot of Azure, picture7

  1. In the Basics tab, type your user information.
  2. In the Assignments tab, assign the user to the group you created previously. You can assign one or more roles to this user. In this example, we select User Administrator.

Screenshot of Azure, picture7

  1. Click Review + Create.
  2. Click Create.

For cloud-only user accounts, users must change their passwords before they can use Microsoft Entra Domain Services. The password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID. The account is not synced from Microsoft Entra ID to Microsoft Entra Domain Services until the password is changed. It might take a few minutes after the password change before the new password can be used in Microsoft Entra Domain Services.

Configure the Firebox

To configure the Firebox:

  1. Configure Active Directory Authentication
  2. Configure Users and Groups
  3. Configure Firewall Policies

Configure Active Directory Authentication

To configure Active Directory authentication:

  1. Log in to Fireware Web UI (https://<your Firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page opens.

Screenshot of Firebox, diagram1

  1. From the Authentication Servers list, click Active Directory.
    The Active Directory page opens.
  2. Click Add.
  3. Click Next.
    The Domain Name page opens.

Screenshot of Firebox, diagram2

  1. In the Domain Name text box, type the domain name. You cannot change the domain name after you save the settings.
  2. Click Next.
    The Active Directory Server page opens.

Screenshot of Firebox, picture3

  1. In the Server Address text box, type or paste the secure LDAP external IP address you copied in the previous section.
  2. Select the Enable Secure SSL Connections to your Active Directory Server (LDAPS) check box.
  3. Click Next.
  4. Click Finish.

Configure Users and Groups

To configure Users and Groups:

  1. Select Authentication > Users and Groups.
  2. Click Add. You can add a user or a group. In our example, we add a group.
    The Add User or Group page opens.

Screenshot of Firebox, picture4

  1. For Type, select Group.
  2. In the Name text box, type a name for the group. The name of this group must match the name of the Microsoft Entra ID group your users belong to.

    If you add a user, the name of the user must be the same as the name of the Microsoft Entra ID user.

  3. From the Authentication Server drop-down list, select the authentication server you configured.
  4. Click OK.
  5. Click Save.

Configure Firewall Policies

To configure Firewall Policies:

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.
    The Select a Policy Type page opens.

Screenshot of Firebox, picture5

  1. From the Packet Filter drop-down list, select WG-Auth.
  2. Click Add Policy.
  3. In the Settings tab, in the From and To lists, specify the source and destination of connections the policy applies to. You must also add the Firebox alias in the To list. For more information, go to Set Access Rules for a Policy.

Screenshot of Firebox, picture6

  1. Click Save.

Test the Integration

To test the integration of Microsoft Entra ID Users and the WatchGuard Firebox Authentication Portal:

  1. In a web browser, go to https://<your Firebox IP address>:4100.
  2. Type your Microsoft Entra ID user name and password.
  3. From the Domain drop-down list, select your authentication server.
  4. Click Login.
    You are authenticated.