Skip to main content
Wurstsalat
Wurstsalat
Explorer
October 18, 2016
Question

LDAP/SSO Redundancy / IP Address resolver

  • October 18, 2016
  • 1 reply
  • 7440 views

Hi there,

i am a bit curious about how to setup redundant LDAP Server/Active Direcotry Servers for Login purpose and for SSO.

 

Am i right with the following when i want to use 2 LDAP Servers (if one failes):

- LDAP Server Definition must be done twice instead of just one definition with multiple Servers?

- User Group Definitions need at least 2 members (1 for each LDAP Server) with the same membership

-> User Group "Test" must include

--> LDAP Server 1: CN=IT-Systeme,OU=UserGroups,DC=domain,DC=local

--> LDAP Server 2: CN=IT-Systeme,OU=UserGroups,DC=domain,DC=local

- FortiGate never uses GUID/SID, so when i move users or Groups in LDAP Directory i have to adjust the FortiGate config?

 

I have to do this for each LDAP Server if i need the redundancy, right?

 

So SSO, like stated here http://help.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/SSO-WindowsAD.043.02.html no Agent Software is needed. (i read some stuff about the collector and the agents but for me it looks like it isnt needed?! More there are problems with nested Groups if i use them?)

- How should my SSO config look like? Like the attached Picture?

- So after this i can use the FortiGate User Groups with the 2 members (basically the same group/GUID/SID) for policies?

 

The whole concept works with DNS Entries...we had previously not so good experience in using DNS entries for policies for clients while there is a very long "refresh" time and our Clients Switch from time to time from one subnet to another (so they using another ip address - for example they Switch from their workplace with Ethernet to a conference with wifi). Is it for SSO the same refresh time?

Additionally we have some situations where the clientname does not resolve to the ip address the client will reach the FortiGate...so what happens when the fortigate does not know the Hostname/IP/Username constellation? Is there a way for a fallback to NTLM or such?

 

And is somewhere to function of the terminal server agent documented? Isnt it possible to just install it on any client machine?

 

Thanks in advance for any help

Kind regards

1 reply

heskez
heskez
New Member
October 18, 2016

I've configured a single object/FSSO name with 2 LDAP Servers (DC's) and let the agent decide which one to pick when one fails. 

No need to configure two objects i.m.o.

 

Wurstsalat
WurstsalatAuthor
Explorer
October 19, 2016

Hm? How did u include 2 LDAP Servers in one?

I can define a local User Group with those 2 FSSO definitions but didnt see where or how to include in FSSO 2 LDAP Servers?! How u do this?

heskez
heskez
New Member
October 19, 2016

GOTO User->Authentication->LDAP Servers

- Create an LDAP server object with server ip name and use the name of your domain (ex company.local)

- Select an LDAP user which exists within AD

 

GOTO User->Authentication->Single sign-on

- Create ONE object and for LDAP_SERVER refer to the previous created LDAP object

- Pick users and groups from AD

- FSSO Agent IP/Name: Here you're able to include multiple Servers which has a FSSO agent installed.

 

 

 

 

Terms & ConditionsAccessibility statement