Fortinet VPN configuration for the LastPass Universal Proxy LDAPS protocol

When using FortiOS Version 6.4.0 or higher and Amazon Corretto Java Runtime Environment version 8u272 or higher with LDAPS protocol, the Universal Proxy will not work, as this configuration enforces the usage of TLS version 1.3 between Fortinet and Universal Proxy. Universal Proxy version 2.2.0 supports TLS version 1.2 only. In order for Universal Proxy version 2.2.0. to work with the LDAPS protocol, use one of the following workarounds:

in the FortiOS change the highest supported TLS version to 1.2
downgrade Amazon Corretto Java Runtime Environment 17 to version prior to 8u272

Define a LDAP server profile:

Log in to the Fortinet FortiGate SSL VPN administration portal.
In the left navigation, go to User & Device > LDAP Servers.
Click Create New.

The Edit LDAP Server page appears.
Enter the following information:

Name

Enter a name for your LDAP server.

Server/IP Name

Enter the LastPass Universal Proxy IP address.

Server Port

Enter your port, default is 636.

Common Name Identifier

samAccountname

Distinguished Name

Enter the distinguished name, in the following format: DC=domain,DC=country_code.

Important: Do not use a backslash in the Distinguished Name field.

Bind Type

Regular

Secure Connection

Enable with the toggle button.

Protocol

LDAPS

Certificate

Select the appropriate certificate.
Set the Remote Authentication Timeout. Follow these command line instructions, and run the following command:
```
hostname # config system global
hostname # set remoteauthtimeout 60
hostname # end
```
Click Test Connectivity to test your connection.
Click Test User Credentials to test an existing user's account credentials that will use this server for authentication.
Click OK when finished.

Results: The Fortinet FortiGate SSL VPN has been configured. For more information about LDAP configuration, see the configuration tips and technical notes in the Fortinet knowledgebase.