Skip to Content

How to fix unable to connect SSL VPN using Azure Auto Connect after FortiOS firmwre upgrade

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

This article describes the new settings required for SSL VPN Azure AD Auto Connect when FortiGate is running v7.4.2 or higher.

Starting with v7.2.1, Azure AD domain joined machines are capable of automatically connecting to an SSL VPN tunnel.

Starting with FortiClient v7.2.3 and v7.4.2, the Auto-Connect for AZURE AD domain joined machines can be leveraged for IPsec Remote Access tunnels.

Support autoconnect to IPsec VPN using Entra ID logon session information

However, because of the IPsec implementation, the settings below used for the SSL VPN Auto-Connect feature were removed.

config user saml
edit "azure_saml"
set auth-url "https://graph.microsoft.com/v1.0/me"
next
end

Without this setting in place in v7.4.2, users would fail to authenticate using the Auto-Connect feature using Entra ID login session information.

Scope

FortiGate v7.4.2+, Azure AD joined machines, Azure Auto Connect

Solution

To resolve the issue, the settings below must be configured in FortiGate. There are no other changes required in FortiClient:

config user external-identity-provider
edit "azure"
set type ms-graph
set version v1.0
next
end

The next step will be to assign this newly created external-identity-provider to the existing user group as in the example below.

Note: This must be done via CLI as it is currently not supported by GUI.

config user group
    edit "SAML-AZURE-Escalations-AUTO"
        set member "azure"
            config match
                edit 1
                    set server-name "azure"
                    set group-name "d4829628-fd49-4e6b-8d9d-85ef5d180447"
                next
            end
        next
    end

Note: To have users connecting via both Auto-Connect with Entra ID login session information and SAML with manually input credentials, then append the external-identity-provider to the existing group as per the example below, where ‘azure-saml-sslvpn’ is the existing SAML server configured in FortiGate.

config user group
    edit "SAML-AZURE-Escalations-AUTO"
        set member "azure" "azure-saml-sslvpn"
            config match
                edit 1
                    set server-name "azure"
                    set group-name "d4829628-fd49-4e6b-8d9d-85ef5d180447"
                next
                    edit 2
                        set server-name "azure-saml-sslvpn"
                        set group-name "d4829628-fd49-4e6b-8d9d-85ef5d180447"
                    next
                end
            next
            end

Configuration from FortiClient EMS remains unchanged as per the example below.

Configuration from FortiClient EMS remains unchanged -1

Configuration from FortiClient EMS remains unchanged -2