Skip to main content
julianhaines
julianhaines
Explorer II
October 8, 2024
Solved

Entra Only Joined Windows 11 Computers and FortiGate Authentication.

  • October 8, 2024
  • 1 reply
  • 2786 views

Good day,

 

I am working on a project to move from Domain Joined Windows 11 computers to Microsoft Entra Only Joined computers, I have a FortiGate FGT200F with Firmware 7.X which currently authenticates users via FSSO in the local Windows Domain via LDAP to determine which Web Filter Policies to apply based on their Active Directory group membership.

 

My test Entra Only joined Windows 11 computers are having issues getting the correct Web Filter Policies from the FortiGate and are ending up going to the Catch-All policies, does anyone have any experience with how to do authentication with Entra Only Joined computers on a FortiGate?

 

I have Microsoft Entra Connect Sync Pass-through authentication setup and it is working to authenticate Entra Only computers to the local Active Directory so users can gain access to network resources.

 

Would I need to create groups in Entra the same as the local Domain groups and authenticate to them? And if so, how is this done?

 

Thanks

Best answer by pminarik

Yes, sounds about right. The base VM + user limit (regular & FSSOMA) increases are one-time cost. The support renewal would be recurring. Thought I am not sales, so if/when this starts being seriously interesting, make sure to verify with a partner/distributor/sales.

1 reply

pminarik
Staff
pminarik
Staff
October 8, 2024

Traditional FSSO doesn't see pure Azure/Entra-joined computers.

 

There's two general options you can take:

FSSOMA (...mobility agent) - Needs FortiAuthenticator and FortiClient (FCT can be free). Monitoring user logon sessions is now supported for Entra domains. Under ideal conditions the users will not see any difference. (apart from maybe noticing that FortiClient is now installed :) )

 

Captive portals - Captive portal authentication can be configured and supports SAML. Fairly easy to setup, but disruptive to traffic. (HTTP/S redirected to captive portal, other traffic dropped, until user authenticates)

 

    julianhaines
    julianhainesAuthor
    Explorer II
    October 9, 2024

    Thanks for the information, I was thinking I could also use FortiClient VPN and EMS to push out the Web Filtering profiles to users, but I would have to purchase EMS, not sure which is the best or cheapest. EMS or FortiAuthenticator? I am currently using the free version of Forticlient VPN.

    pminarik
    Staff
    pminarik
    Staff
    October 9, 2024

    That is certainly an option as well, although given that the filtering would be moved to the client, you would probably need to use some fairly wide-open firewall policies on the FortiGate. That might be hard to manage (what if there's a client that doesn't have the FCT+webfilter, or it's just not working temporarily?).

     

    Last I checked the basic cost for EMS was around $10 per user per year for the VPN/ZTNA license and around $40 per user per year for the EPP license (you would want this for the webfiltering function). This will of course fluctuate further based on discounts and higher number of users and/or licensed years.


    Base VM license for FAC is around $2k (100 users, so $20 per user). The VM itself is perpetual, but you will need to consider buying support entitlement license to interact with TAC support. The complication with FAC is that the license for FSSOMA is separate, so you'd need to get that too. (FCC-FAC2K-LIC for 2K users is the smallest), and if the FortiClient's aren't EMS-managed, you'd need to handle deployment, configuration, and management on your own.

    Terms & ConditionsAccessibility statement