Skip to main content
degwi
degwi
New Member
January 27, 2017
Question

Collector Agent in an multi site AD environment, How to Authenticate Users?

  • January 27, 2017
  • 1 reply
  • 9088 views

Hi all,

 

I'm in the process of setting up Fortigate as an Proxy/web-filter. For this, I have created Usergroups in our (2008)-AD and have installed DC Agents and Collector Agents (CA).

We have an Multi-Site Active Directory environment (about 25 AD-Sites), with AD-intergrated DNS and with one single firewall for all sites.

As soon as an User logs in, the DC-Agent will inform the CAs. The CA will do an (reverse) DNS Lookup on the Workstation/IP.

As long as the client is in the same AD-Site, the Lookup will work, but as soon as the client has its login Server in an different AD-Site, the DNS Lookup will fail in the beginning. after the AD-Sync, the Lookup will work.

This AD-Sync is set to the minimun time of 15-minutes, this means that the DC- Controllers will sync every 15 Minutes with its direct peer. (From the outer Leaf to the CA there is an Max way of 3 AD-Hops, meaning max 3 * 15 Minutes to Sync. But even one Sync cycle is to much.)

 

My Question is, who has an equall environment with multiple AD-Sites, and how do you Authenticate the Users? Also Using DC-Agents and collectors? Using a different Authentication method?

Thanks for the feedbacks

Willem

    1 reply

    Wyzz
    Wyzz
    New Member
    January 27, 2017

    Why would the client use a DC not within it's own site?

     

    A customised Forticlient (free) can do FSSO (FAC needed) and that works pretty good. We try to use it as primary method to avoid problems with roaming users (wired<->wireless), computers that go in standby,...

    Even on top of that you could do a captive portal combined with a specific LDAP server.

    degwi
    degwiAuthor
    New Member
    January 27, 2017

    Wyzz wrote:

    Why would the client use a DC not within it's own site?

    Hi Wyzz,

    The client does use the DC within its own site. But the Collector Agent may/is in an different site. The collector Agent does the DNS Lookup on its local system, the AD-Sync will be timely later so the IP Record is not yet set for a new record. Finally the Fortigate is connects to the Collector Agent.

    Wyzz wrote:

    A customised Forticlient (free) can do FSSO (FAC needed) and that works pretty good. We try to use it as primary method to avoid problems with roaming users (wired<->wireless), computers that go in standby,...

    ok, the Forticlient is free but the licences aren't. We do not have a FAC.

    Do you manage the Forticlients with special Settings like URL-Filter for the mobile devices?

    We have Forticlient in use for the mobile Users, but only the VPN Part is installed.

     

    Wyzz wrote:

    Even on top of that you could do a captive portal combined with a specific LDAP server.

    I didn't get this? what is mend with this?

    Thanks

    Willem

    Agent_1994
    Agent_1994
    New Member
    December 11, 2017

    We have the same problem at a customer's.

    Did anyone solved this?

    Terms & ConditionsAccessibility statement