FortiAuthenticator best practices

Hello,

You don't need public IP for FAC. FAC can be behind the firewall, in this case FortiGate as you are moving everything already. 

FortiGate can hold that public IP and FAC can stay behind the NAT. You will probably need NAT for example if you want to use FortiToken mobile push notification, because in this case phone will directly contact (FortiGate as FAC is behind the NAT in this case) FAC. 

Here is the KB that explains that:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthenticator-operation/ta-p/190810?externalID=FD45559

Make sure that FAC has internet connection also, as it will need that for token assignment for example.

Other then that you want to make sure that FAC will have connection to the internal network, because it will need to contact the LDAP server in this case.

Also connection between the FortiGate that holds SSL VPN for example and acts as radius client.

FAC also needs to have one IP that will be tied to the license file itself (that IP address can be from private range). You can use the same IP for GUI, authentication, license, but in this case if you change IP for authentication (radius, tacacs, etc..) in the future license will not be valid and you will have to add new IP to the support portal and then redownload and upload license again to the FAC.

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-License-update-for-administrative-IP-change/ta-p/189649

If you have more question, be free to ask them :)

Best regards,

Lazar Marinovic