FSSO Best practices

dasilva, The main factor is the number of users that are authenticating on the network. From there it becomes either a personal choice or a requirement depending on the system resources of the FortiGate itself and the AD servers. For example if you are only tracking 20 users, direct polling of the AD servers from the FortiGate is perfectly sufficient, whereas 20k users you would want to offload some of that work either to an agent on the AD servers themselves or its' own machine so that neither the FortiGate nor the AD servers are taxed at all. Unfortunately there isn' t a guide that says, if you have this model and this many users use this method(i havent found one at least), but make sure youve checked out the currently available resources like below: http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Authentication/FSSO-IBP.html https://www.youtube.com/watch?v=BfMyWBAosK0

Thanks for the reply, but I guess it is a trial and error process more than anything.

@dasilva13 I would recommend the use of FSSO agent as it guarantee five nines accuracy as long as you server can respond within 16second time frame. for polling you may experience some time out trials Let us know if you experienced certain difficulties with any of the configurations so we may help Mohammad

Hello, Why use the FSSO agent (for collecting log in DC or installing directly on the DC) instead uses FSSO agent for NTLM authentication ? Did you have any experiences in these two method to authenticate the users?